Prisma™ Cloud Administrator's Guide
    : Microsoft Azure API Ingestions and Required Permissions
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Your Azure Account
    7. Microsoft Azure API Ingestions and Required Permissions
    Download PDF

    Prisma™ Cloud Administrator's Guide

    Microsoft Azure API Ingestions and Required Permissions

    Table of Contents

    Microsoft Azure API Ingestions and Required Permissions

    Reference the table below to identify the Azure APIs ingested by Prisma Cloud. The table also lists all the required permissions for each Azure service.

    Misconfiguration Feature Permissions and APIs

    Service
    API Name
    Permissions
    Azure Active Directory
    azure-active-directory-user
    User.Read.All
    Azure Active Directory
    azure-active-directory-conditional-access-policy
    Policy.Read.All
    Azure Active Directory
    azure-active-directory-named-location
    Policy.Read.All
    Azure Active Directory
    azure-active-directory-group
    GroupMember.Read.All
    Group.Read.All
    Azure Active Directory
    azure-active-directory-authorization-policy
    Policy.Read.All
    Azure Active Directory
    azure-active-directory-credential-user-registration-details
    Reports.Read.All
    Azure Active Directory
    azure-active-directory-group-settings
    Directory.Read.All
    Azure Active Directory
    azure-active-directory-enforcement-policy
    Policy.Read.All
    Azure Active Directory
    azure-active-directory-custom-domain
    Domain.Read.All
    Azure Active Directory
    azure-active-directory-service-principal-aws-app
    Application.Read.All
    Azure Active Directory
    azure-active-directory-iam-group
    GroupMember.Read.All
    Group.Read.All
    Azure Active Directory
    azure-active-directory-enterprise-applications
    Application.Read.All
    Azure Active Directory
    azure-active-directory-service-principal-app
    Application.Read.All
    Azure Active Directory
    azure-active-directory-app-registration
    Application.Read.All
    Azure Advisor
    azure-advisor-configurations
    Microsoft.Advisor/configurations/read
    Azure Analysis Services
    azure-analysisservices-servers
    Microsoft.AnalysisServices/servers/read
    Azure API Management
    azure-api-management-service
    Microsoft.ApiManagement/service/read
    Microsoft.ApiManagement/service/portalsettings/read
    Microsoft.ApiManagement/service/tenant/read
    Azure App Configuration
    azure-appconfiguration-configuration-stores
    Microsoft.AppConfiguration/configurationStores/read
    Azure App Service
    azure-app-service
    Microsoft.Web/sites/read
    Microsoft.Web/sites/config/read
    Microsoft.Web/sites/functions/read
    Microsoft.Web/sites/config/list/read
    Azure App Service
    Microsoft.Web/certificates/Read
    Azure App Service
    azure-app-service-domain
    Microsoft.DomainRegistration/domains/Read
    Azure App Service
    azure-app-service-environment
    Microsoft.Web/hostingEnvironments/Read
    Azure App Service
    azure-app-service-plan
    Microsoft.Web/serverfarms/Read
    Azure App Service
    azure-app-service-deployment-slots
    Microsoft.Web/sites/slots/Read
    Microsoft.web/serverfarms/sites/read
    Azure App Service
    azure-web-static-sites
    Microsoft.Web/staticSites/read
    Azure App Service
    azure-app-service-diagnostic-settings
    Microsoft.Web/sites/Read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Application Gateway
    azure-application-gateway
    Microsoft.Network/applicationGateways/read
    Azure Application Insights
    azure-application-insights-component
    Microsoft.Insights/Components/read
    Azure Attestation
    azure-attestation-providers
    Microsoft.Attestation/attestationProviders/read
    Azure Automanage
    azure-automanage-configuration-profiles
    Microsoft.Automanage/configurationProfiles/Read
    Azure Automation Accounts
    azure-automation-account
    Microsoft.Automation/automationAccounts/read, Microsoft.Automation/automationAccounts/variables/read
    Azure Automation Accounts
    azure-automation-account-diagnostic-settings
    Microsoft.Automation/automationAccounts/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Availability Sets
    azure-vm-availability-set
    Microsoft.Compute/availabilitySets/read
    Azure Batch Account
    azure-batch-account
    Microsoft.Batch/batchAccounts/read
    Azure Batch Account
    azure-batch-account-diagnostic-settings
    Microsoft.Batch/batchAccounts/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Batch Account
    azure-batch-account-pool
    Microsoft.Batch/batchAccounts/read
    Microsoft.Batch/batchAccounts/pools/read
    Azure Blueprints
    azure-blueprints-list
    Microsoft.Blueprint/blueprints/read
    Azure Bot Service
    azure-botservice-bots
    Microsoft.BotService/botServices/read
    Azure Cache for Redis
    azure-cache-redis
    Microsoft.Cache/redis/read, Microsoft.Cache/redis/firewallRules/read
    Azure Content Delivery Network
    azure-cdn-profile
    Microsoft.Cdn/profiles/read
    Azure Content Delivery Network
    azure-cdn-endpoint
    Microsoft.Cdn/profiles/endpoints/read, Microsoft.Cdn/profiles/endpoints/customdomains/read
    Azure Content Delivery Network
    azure-frontdoor-standardpremium-origin-groups
    Microsoft.Cdn/profiles/read
    Microsoft.Cdn/profiles/origingroups/read
    Azure Content Delivery Network
    azure-frontdoor-standardpremium-security-policies
    Microsoft.Cdn/profiles/read
    Microsoft.Cdn/profiles/securitypolicies/read
    Azure Chaos Studio
    azure-chaos-experiments
    Microsoft.Chaos/experiments/read
    Azure Cognitive Services
    azure-cognitive-services-account
    Microsoft.CognitiveServices/accounts/read
    Azure Cognitive Services
    azure-cognitive-search-service-diagnostic-settings
    Microsoft.Search/searchServices/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Communication Services
    azure-communication-services
    Microsoft.Communication/CommunicationServices/Read
    Azure Compute
    azure-disk-list
    Microsoft.Compute/disks/read
    Azure Compute
    azure-virtual-machine-scale-set
    Microsoft.Compute/virtualMachineScaleSets/read
    Azure Compute
    azure-virtual-machine-scale-set-vm
    Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read
    Azure Compute
    azure-vm-start-time
    Microsoft.Compute/virtualMachines/read
    Microsoft.Compute/virtualMachines/instanceView/read
    Azure Compute
    azure-compute-dedicated-host-groups
    Microsoft.Compute/hostGroups/read
    Azure Compute
    azure-cloudservices-list
    Microsoft.Compute/cloudServices/read
    Azure Compute
    azure-cloudservices-roleinstance-publicip
    Microsoft.Compute/cloudServices/read
    Microsoft.Compute/cloudServices/roleInstances/read
    Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read
    Azure Compute
    azure-compute-gallery
    Microsoft.Compute/galleries/read
    Azure Compute
    azure-compute-gallery-image
    Microsoft.Compute/galleries/read
    Microsoft.Compute/galleries/images/read
    Azure Confidential Ledger
    azure-confidential-ledgers
    Microsoft.ConfidentialLedger/ledgers/read
    Azure Confluent
    azure-confluent-organizations
    Microsoft.Confluent/organizations/Read
    Azure Container Apps
    azure-app-container-apps
    Microsoft.app/containerapps/read
    Azure Container Instances
    azure-container-instances-container-group
    Microsoft.ContainerInstance/containerGroups/read
    Azure Container Registry
    azure-container-registry
    Microsoft.ContainerRegistry/registries/read
    Microsoft.ContainerRegistry/registries/metadata/read
    Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action
    Microsoft.insights/diagnosticSettings/read
    Azure Container Registry
    azure-container-registry-repository
    Microsoft.ContainerInstance/containerGroups/read
    Azure Cosmos DB
    azure-cosmos-db
    Microsoft.DocumentDB/databaseAccounts/read
    Azure Cosmos DB
    azure-documentdb-cassandra-clusters
    Microsoft.DocumentDB/cassandraClusters/read
    Azure Cosmos DB
    azure-cosmos-db-diagnostic-settings
    Microsoft.DocumentDB/databaseAccounts/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Cosmos DB
    azure-documentdb-cassandra-clusters-diagnostic-settings
    Microsoft.DocumentDB/cassandraClusters/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Data Box Gateway
    azure-databox-gateway
    Microsoft.DataBoxEdge/dataBoxEdgeDevices/read
    Azure Data Catalog
    azure-datacatalog-catalog
    Microsoft.DataCatalog/catalogs/read
    Azure Data Factory
    azure-data-factory-v1
    Microsoft.DataFactory/datafactories/read
    Azure Data Factory
    azure-data-factory-v2
    Microsoft.DataFactory/factories/read
    Azure Data Lake Analytics
    azure-data-lake-analytics-account
    Microsoft.DataLakeAnalytics/accounts/read
    Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/read
    Microsoft.DataLakeAnalytics/accounts/firewallRules/read
    Microsoft.DataLakeAnalytics/accounts/storageAccounts/read
    Azure Data Lake Analytics
    azure-data-lake-analytics-diagnostic-settings
    Microsoft.DataLakeAnalytics/accounts/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Data Lake Store Gen1
    azure-data-lake-store-gen1-account
    Microsoft.DataLakeStore/accounts/read
    Microsoft.DataLakeStore/accounts/firewallRules/read
    Microsoft.DataLakeStore/accounts/trustedIdProviders/read
    Microsoft.DataLakeStore/accounts/virtualNetworkRules/read
    Azure Data Lake Store Gen1
    azure-data-lake-store-gen1-diagnostic-settings
    Microsoft.DataLakeStore/accounts/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Data Share
    azure-data-shares-account
    Microsoft.DataShare/accounts/read
    Azure Database for MariaDB Server
    azure-database-maria-db-server
    Microsoft.DBforMariaDB/servers/read
    Azure Database for MariaDB Server
    azure-database-maria-db-server-diagnostic-settings
    Microsoft.DBforMariaDB/servers/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Database for MySQL
    azure-mysql-server
    Microsoft.DBforMySQL/servers/read
    Microsoft.DBforMySQL/servers/firewallRules/read
    Microsoft.DBforMySQL/servers/virtualNetworkRules/read
    Azure Database for MySQL
    azure-mysql-flexible-server
    Microsoft.DBforMySQL/flexibleServers/read
    Microsoft.DBforMySQL/flexibleServers/firewallRules/read
    Microsoft.DBforMySQL/flexibleServers/configurations/read
    Azure Database for MySQL
    azure-mysql-flexible-server-diagnostic-settings
    Microsoft.DBforMySQL/flexibleServers/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Database for PostgreSQL
    azure-postgresql-server
    Microsoft.DBforPostgreSQL/servers/read
    Microsoft.DBforPostgreSQL/servers/firewallRules/read
    Microsoft.DBforPostgreSQL/serversv2/firewallRules/read
    Microsoft.DBforPostgreSQL/servers/configurations/read
    Microsoft.insights/diagnosticSettings/read
    Azure Database for PostgreSQL
    azure-postgresql-flexible-server
    Microsoft.DBforPostgreSQL/flexibleServers/read
    Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read
    Microsoft.DBforPostgreSQL/flexibleServers/configurations/read
    Azure Database for PostgreSQL
    azure-postgresql-flexible-server-diagnostic-settings
    Microsoft.DBforPostgreSQL/flexibleServers/read,Microsoft.Insights/DiagnosticSettings/Read
    Azure Database Migration Projects
    azure-database-migration-project
    Microsoft.DataMigration/services/read
    Azure Databricks
    azure-databricks-workspace
    Microsoft.Databricks/workspaces/read
    Azure Datadog
    azure-datadog-monitors
    Microsoft.Datadog/monitors/read
    Azure Defender for Cloud
    azure-iot-security-solutions
    Microsoft.Security/iotSecuritySolutions/read
    Azure Defender for Cloud
    azure-defender-for-cloud-security-contact
    Microsoft.Security/securityContacts/read
    Azure Defender for Cloud
    azure-defender-for-cloud-setting
    Microsoft.Security/settings/read
    Azure Defender for Cloud
    azure-defender-for-cloud-workspace-setting
    Microsoft.Security/workspaceSettings/read
    Azure Defender for Cloud
    azure-defender-for-cloud-automation
    Microsoft.Security/automations/read
    Azure Defender for Cloud
    azure-defender-for-cloud-location
    Microsoft.Security/locations/read
    Azure Defender for Cloud
    azure-defender-for-cloud-pricing
    Microsoft.Security/pricings/read
    Azure Dev Center
    azure-dev-centers
    Microsoft.DevCenter/devcenters/read
    Azure Dev Test Labs
    azure-devtestlab-global-schedules
    Microsoft.DevTestLab/schedules/read
    Azure DevOps
    azure-devops-pipelines
    Microsoft.DevOps/pipelines/read
    Azure Digital Twins
    azure-digital-twins
    Microsoft.DigitalTwins/digitalTwinsInstances/read
    Azure DNS
    azure-dns-zones
    Microsoft.Network/dnsZones/read
    Azure DNS
    azure-dns-recordsets
    Microsoft.Network/dnsZones/recordsets/read
    Azure Elastic
    azure-elastic-monitors
    Microsoft.Elastic/monitors/read
    Azure Event Grid
    azure-event-grid-domains
    Microsoft.EventGrid/domains/read
    Azure Event Grid
    azure-event-grid-topic
    Microsoft.EventGrid/topics/read
    Azure Event Grid
    azure-event-grid-topic-privatelinkresource
    Microsoft.EventGrid/topics/read
    Microsoft.EventGrid/topics/privateLinkResources/read
    Azure Event Grid
    azure-event-grid-domains-privatelinkresource
    Microsoft.EventGrid/domains/read
    Microsoft.EventGrid/domains/privateLinkResources/read
    Azure Event Hubs
    azure-event-hub-namespace
    Microsoft.EventHub/namespaces/read
    Microsoft.EventHub/namespaces/authorizationRules/read
    Microsoft.EventHub/namespaces/virtualnetworkrules/read
    Microsoft.EventHub/namespaces/ipfilterrules/read
    Azure Event Hubs
    azure-event-hub
    Microsoft.EventHub/namespaces/eventhubs/read
    Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read
    Azure Event Hubs
    azure-event-hub-namespace-private-endpoint-connections
    Microsoft.EventHub/Namespaces/PrivateEndpointConnections/read
    Azure Event Hubs
    azure-event-hub-cluster
    Microsoft.EventHub/clusters/read
    Azure Event Hubs
    azure-event-hub-namespace-diagnostic-settings
    Microsoft.EventHub/namespaces/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Front Door
    azure-frontdoor
    Microsoft.Network/frontDoors/read
    Microsoft.Network/frontDoors/routingRules/read
    Microsoft.Network/frontDoors/backendPools/read
    Microsoft.Network/frontDoors/frontendEndpoints/read
    Microsoft.Network/frontDoors/healthProbeSettings/read
    Microsoft.Network/frontDoors/loadBalancingSettings/read
    Microsoft.Network/frontDoors/rulesEngines/read
    Azure HDInsight
    azure-hdinsight-cluster
    Microsoft.HDInsight/clusters/read
    Azure HDInsight
    azure-hdinsight-applications
    Microsoft.HDInsight/clusters/read
    Microsoft.HDInsight/clusters/applications/read
    Azure Health Bot
    azure-healthbot-bots
    Microsoft.HealthBot/healthBots/Read
    Azure Healthcare Apis
    azure-healthcare-apis-workspaces
    Microsoft.HealthcareApis/workspaces/read
    Azure HPC Cache
    azure-hpc-cache
    Microsoft.StorageCache/caches/read
    Microsoft.StorageCache/Subscription/caches/read
    Azure Hybrid Compute
    azure-hybridcompute-machines
    Microsoft.HybridCompute/machines/read
    Azure IoT Central
    azure-iot-central-apps
    Microsoft.IoTCentral/IoTApps/read
    Azure IoT Hub
    azure-devices-iot-hub-resource
    Microsoft.Devices/iotHubs/Read
    Azure IoT Hub
    azure-devices-iot-hub-privatelinkresource
    Microsoft.Devices/iotHubs/Read
    Microsoft.Devices/iotHubs/privateLinkResources/Read
    Azure IoT Hub
    azure-devices-iot-hub-resource-diagnostic-settings
    Microsoft.Devices/iotHubs/Read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Key Vault
    azure-key-vault-list
    Microsoft.KeyVault/vaults/read
    Microsoft.KeyVault/vaults/keys/read
    Microsoft.KeyVault/vaults/certificates/read
    Microsoft.KeyVault/vaults/secrets/readMetadata/action
    Microsoft.insights/diagnosticSettings/read
    Azure Key Vault
    azure-key-vault-certificate
    Microsoft.KeyVault/vaults/read
    Microsoft.KeyVault/vaults/certificates/read
    NOTE: Application certificate read permssion is required, if the application is part of the onboarded account.
    Azure Key Vault
    azure-key-vault-privatelinkresource
    Microsoft.KeyVault/vaults/read
    Microsoft.KeyVault/vaults/privateLinkResources/read
    Azure Key Vault
    azure-key-vault-diagnostic-settings
    Microsoft.KeyVault/vaults/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Key Vault
    azure-key-vault-managed-hsms-diagnostic-settings
    Microsoft.KeyVault/managedHSMs/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Key Vault
    azure-key-vault-managed-hsms
    Microsoft.KeyVault/managedHSMs/read
    Azure Kubernetes Service
    azure-kubernetes-cluster
    Microsoft.ContainerService/managedClusters/read
    Azure Kubernetes Service
    azure-kubernetes-cluster-diagnostic-settings
    Microsoft.ContainerService/managedClusters/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Kusto
    azure-kusto-clusters
    Microsoft.Kusto/clusters/read/read
    Azure Lab Services
    azure-labservices-labs
    Microsoft.LabServices/labs/read
    Azure Load Balancer
    azure-network-lb-list
    Microsoft.Network/loadBalancers/read
    Microsoft.insights/diagnosticSettings/read
    Azure Load Testing
    azure-loadtest-service-load-tests
    Microsoft.LoadTestService/loadTests/read
    Azure Local Network Gateways
    azure-local-network-gateways
    Microsoft.Network/localnetworkgateways/read
    Azure Log Analytics
    azure-log-analytics-workspace
    Microsoft.OperationalInsights/workspaces/read
    Azure Log Analytics
    azure-log-analytics-linked-storage-accounts
    Microsoft.OperationalInsights/workspaces/read
    Microsoft.OperationalInsights/workspaces/storageinsightconfigs/read
    Azure Logic Apps
    azure-logic-app-workflow
    Microsoft.Web/customApis
    Azure Logic Apps
    azure-logic-app-custom-connector
    Microsoft.Web/customApis
    Azure Logic Apps
    azure-logic-app-integration-account
    Microsoft.Logic/integrationAccounts/read
    Azure Logic Apps
    azure-logic-app-workflow-diagnostic-settings
    Microsoft.Logic/workflows/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Machine Learning
    azure-machine-learning-workspace
    Microsoft.MachineLearningServices/workspaces/read
    Azure Managed Applications
    azure-solutions-applications
    Microsoft.Solutions/applications/read
    Azure Managed Grafana
    azure-dashboard-grafana
    Microsoft.Dashboard/grafana/read
    Azure Managed Identity
    azure-managed-identity-user-assigned-identities
    Microsoft.ManagedIdentity/userAssignedIdentities/read
    Azure Managed Services
    azure-managedservices-registration-assignments
    Microsoft.ManagedServices/registrationAssignments/read
    Azure Management Group
    azure-management-group-entities-list
    Microsoft.Resources/subscriptions/read
    Microsoft.Management/managementGroups/descendants/read
    Microsoft.PowerBIDedicated/capacities/read
    Azure Maps Management
    azure-maps-accounts
    Microsoft.Maps/accounts/read
    Azure Media Service
    azure-media-service-account
    Microsoft.Media/mediaservices/read
    Azure Mixed Reality
    azure-mixed-reality-object-anchors-accounts
    Microsoft.MixedReality/ObjectAnchorsAccounts/read
    Azure Monitor
    azure-monitor-log-profiles-list
    Microsoft.Insights/LogProfiles/read
    Azure Monitor
    azure-activity-log-alerts
    Microsoft.Insights/ActivityLogAlerts/read
    Azure NetApp Files
    azure-netappfiles-account
    Microsoft.NetApp/netAppAccounts/read
    Azure Network Function
    azure-network-function-traffic-collectors
    Microsoft.NetworkFunction/azureTrafficCollectors/read
    Azure Network Watcher
    azure-network-watcher-list
    Microsoft.Network/networkWatchers/read
    Microsoft.Network/networkWatchers/securityGroupView/action
    Microsoft.Network/networkWatchers/queryFlowLogStatus/action
    Azure Notification Hubs
    azure-notification-hub-namespace
    Microsoft.NotificationHubs/Namespaces/read
    Azure Notification Hubs
    azure-notification-hub
    Microsoft.NotificationHubs/Namespaces/NotificationHubs/read
    Azure Orbital
    azure-orbital-spacecrafts
    Microsoft.Orbital/spacecrafts/read
    Azure Policy
    azure-policy-assignments
    Microsoft.Authorization/policyAssignments/read
    Azure Policy
    azure-policy-definition
    Microsoft.Authorization/policyDefinitions/read
    Azure Power BI Embedded
    azure-powerbi-dedicated-capacities
    Microsoft.PowerBIDedicated/servers/read
    Microsoft.PowerBIDedicated/capacities/read
    Azure Purview
    azure-purview-account
    Microsoft.Purview/accounts/read
    Microsoft.Purview/getDefaultAccount/read
    Microsoft.Purview/accounts/privateEndpointConnections/read
    Azure Purview
    azure-purview-default-account
    Microsoft.Purview/accounts/read
    Microsoft.Purview/getDefaultAccount/read
    Microsoft.Resources/subscriptions/read
    Azure Purview
    azure-purview-privatelinkresource
    Microsoft.Purview/accounts/privatelinkresources/read
    Azure Quantum
    azure-quantum-workspace
    Microsoft.Quantum/Workspaces/Read
    Azure Recovery Services
    azure-recovery-service-vault
    Microsoft.RecoveryServices/Vaults/read
    Azure Recovery Services
    azure-recovery-service-backup-protected-item
    Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
    Azure Recovery Services
    azure-recovery-service-vault-diagnostic-settings
    Microsoft.RecoveryServices/Vaults/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Red Hat OpenShift
    azure-redhat-openshift-cluster
    Microsoft.RedHatOpenShift/openShiftClusters/read
    Azure Resource Manager
    azure-resource-group
    Microsoft.Resources/subscriptions/resourceGroups/read
    Azure Resource Manager
    azure-role-definition
    Microsoft.Authorization/roleDefinitions/read
    Azure Resource Manager
    azure-role-assignment
    Microsoft.Authorization/roleAssignments/read
    Azure Resource Manager
    azure-classic-resource
    Microsoft.Authorization/classicAdministrators/read
    Azure Resource Mover
    azure-migrate-move-collections
    Microsoft.Migrate/moveCollections/read
    Azure Security Center
    azure-security-center-settings
    Microsoft.Security/autoProvisioningSettings/read
    Microsoft.Security/pricings/read
    Microsoft.Security/securityContacts/read
    Microsoft.Security/settings/read
    Azure Service Bus
    azure-service-bus-namespace
    Microsoft.ServiceBus/namespaces/read
    Microsoft.ServiceBus/namespaces/authorizationRules/read
    Microsoft.ServiceBus/namespaces/providers/Microsoft.Insights/diagnosticSettings/read
    Microsoft.ServiceBus/namespaces/networkrulesets/read
    Azure Service Bus
    azure-service-bus-namespace-private-endpoint-connection
    Microsoft.ServiceBus/namespaces/privateEndpointConnections/read
    Azure Service Bus
    azure-service-bus-queue
    Microsoft.ServiceBus/namespaces/queues/read
    Azure Service Bus
    azure-service-bus-topic
    Microsoft.ServiceBus/namespaces/topics/read
    Azure Service Bus
    azure-service-bus-topic-subscription
    Microsoft.ServiceBus/namespaces/topics/subscriptions/read
    Azure Service Fabric
    azure-service-fabric-cluster
    Microsoft.ServiceFabric/clusters/read
    Azure SignalR Service
    azure-signalr
    Microsoft.SignalRService/SignalR/read
    Azure Spring Cloud
    azure-spring-cloud-service
    Microsoft.AppPlatform/Spring/read
    Azure Spring Cloud
    azure-spring-cloud-app
    Microsoft.AppPlatform/Spring/apps/read
    Azure SQL Database
    azure-sql-db-list
    Microsoft.Sql/servers/databases/read
    Microsoft.Sql/servers/databases/securityAlertPolicies/read
    Microsoft.Sql/servers/databases/transparentDataEncryption/read
    Microsoft.Sql/servers/databases/auditingSettings/read
    Microsoft.insights/diagnosticSettings/read
    Azure SQL Database
    azure-sql-server-list
    Microsoft.Sql/servers/read
    Microsoft.Sql/servers/securityAlertPolicies/read
    Microsoft.Sql/servers/auditingSettings/read
    Microsoft.Sql/servers/administrators/read
    Microsoft.Sql/servers/encryptionProtector/read
    Microsoft.Sql/servers/firewallRules/read
    Azure SQL Database
    azure-sql-managed-instance
    Microsoft.Sql/managedInstances/read
    Azure SQL Database
    azure-sql-managed-instance-diagnostic-settings
    Microsoft.Sql/managedInstances/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure SQL Database
    azure-sql-db-diagnostic-settings
    Microsoft.Sql/servers/read
    Microsoft.Sql/servers/databases/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure SQL Database
    azure-sql-db-long-term-retention-policies
    Microsoft.Sql/servers/read
    Microsoft.Sql/servers/databases/read
    Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/read
    Azure Stack HCI
    azure-azurestackhci-clusters
    Microsoft.AzureStackHCI/Clusters/Read
    Azure Storage
    azure-storage-account-list
    Microsoft.Storage/storageAccounts/read
    Microsoft.Storage/storageAccounts/listKeys/action
    Microsoft.Storage/storageAccounts/tableServices/read
    Microsoft.Storage/storageAccounts/queueServices/read
    Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
    Microsoft.insights/diagnosticSettings/read
    Azure Storage
    azure-storage-account-diagnostic-settings
    Microsoft.Storage/storageAccounts/read
    Microsoft.Storage/storageAccounts/listKeys/action
    Microsoft.Storage/storageAccounts/tableServices/read
    Microsoft.Storage/storageAccounts/queueServices/read
    Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
    Microsoft.insights/diagnosticSettings/read
    Azure Storage
    azure-storage-account-table-diagnostic-settings
    Microsoft.Storage/storageAccounts/read
    Microsoft.Storage/storageAccounts/tableServices/read
    Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
    Azure Storage
    azure-storage-account-queue-diagnostic-settings
    Microsoft.Storage/storageAccounts/read
    Microsoft.Storage/storageAccounts/queueServices/read
    Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
    Azure Storage
    azure-storage-account-file-diagnostic-settings
    Microsoft.Storage/storageAccounts/read
    Microsoft.Storage/storageAccounts/fileServices/read
    Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
    Azure Storage
    azure-storage-account-blob-diagnostic-settings
    Microsoft.Storage/storageAccounts/read
    Microsoft.Storage/storageAccounts/blobServices/read
    Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read
    Azure Storage
    azure-storage-account-keys
    Microsoft.Storage/storageAccounts/read
    Microsoft.Storage/storageAccounts/listKeys/action
    Azure Storage
    azure-storage-file-shares
    Microsoft.Storage/storageAccounts/fileServices/shares/read
    Azure Storage Mover
    azure-storage-movers
    Microsoft.StorageMover/storageMovers/read
    Azure Storage Sync Services
    azure-storage-sync-service
    Microsoft.StorageSync/storageSyncServices/read
    Azure Storage Sync Services
    azure-storage-sync-service-privatelinkresource
    Microsoft.StorageSync/storageSyncServices/read
    Microsoft.StorageSync/storageSyncServices/privateLinkResources/read
    Azure StorSimple
    azure-storsimple-managers
    Microsoft.StorSimple/managers/read
    Azure Stream Analytics
    azure-streamanalytics-clusters
    Microsoft.StreamAnalytics/clusters/Read
    Azure Stream Analytics
    azure-streamanalytics-streamingjobs
    Microsoft.StreamAnalytics/streamingjobs/Read
    Azure Stream Analytics
    azure-streamanalytics-streamingjobs-diagnostic-settings
    Microsoft.StreamAnalytics/streamingjobs/Read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Subscriptions
    azure-subscription-resource-providers-registration-status
    Microsoft.Resources/subscriptions/providers/read
    Azure Subscriptions
    azure-subscription-tenantpolicy
    Microsoft.Subscription/Policies/default/read
    Azure Subscriptions
    azure-subscription-list
    Microsoft.Resources/subscriptions/read
    Azure Synapse Analytics
    azure-synapse-privatelinkhub-privatelinkresource
    Microsoft.Synapse/privateLinkHubs/privateLinkResources/read
    Azure Synapse Analytics
    azure-synapse-privatelinkresource
    Microsoft.Synapse/workspaces/read Microsoft.Synapse/workspaces/privateLinkResources/read
    Azure Synapse Analytics
    azure-synapse-privatelinkhub
    Microsoft.Synapse/privateLinkHubs/read
    Azure Synapse Analytics
    azure-synapse-spark-configuration
    Microsoft.Synapse/workspaces/read Microsoft.Synapse/workspaces/sparkConfigurations/read
    Azure Synapse Analytics
    azure-synapse-workspace
    Microsoft.Synapse/workspaces/read
    Azure Synapse Analytics
    azure-synapse-workspace-managed-sql-server-vulnerability-assessments
    Microsoft.Synapse/workspaces/read
    Microsoft.Synapse/workspaces/vulnerabilityAssessments/read
    Azure Test Base
    azure-test-base-accounts
    Microsoft.TestBase/testBaseAccounts/read
    Azure Time Series Insights
    azure-timeseriesinsights-environments
    Microsoft.TimeSeriesInsights/environments/read
    Azure Traffic Manager
    azure-traffic-manager-profile
    Microsoft.Network/trafficManagerProfiles/read
    Azure Video Indexer
    azure-video-indexer-accounts
    Microsoft.VideoIndexer/accounts/read
    Azure Virtual Desktop
    azure-virtual-desktop-workspace
    Microsoft.DesktopVirtualization/workspaces/read
    Microsoft.DesktopVirtualization/workspaces/providers/Microsoft.Insights/diagnosticSettings/read
    Azure Virtual Desktop
    azure-virtual-desktop-session-host
    Microsoft.DesktopVirtualization/hostpools/read
    Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
    Microsoft.DesktopVirtualization/hostpools/sessionhostconfigurations/read
    Azure Virtual Network
    azure-network-vnet-list
    Microsoft.Network/virtualNetworks/read
    Microsoft.Network/virtualNetworks/subnets/read
    Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
    Microsoft.insights/diagnosticSettings/read
    Azure Virtual Network
    azure-network-nic-list
    Microsoft.Network/networkInterfaces/read
    Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action
    Azure Virtual Network
    azure-network-nsg-list
    Microsoft.Network/networkSecurityGroups/read
    Microsoft.Network/networkSecurityGroups/securityRules/read
    Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read
    microsoft.insights/diagnosticSettings/read
    Azure Virtual Network
    azure-network-subnet-list
    Microsoft.Network/virtualNetworks/subnets/read,
    Azure Virtual Network
    azure-network-peering
    Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
    Azure Virtual Network
    azure-network-route-table
    Microsoft.Network/routeTables/read
    Microsoft.Network/routeTables/routes/read
    Azure Virtual Network
    azure-network-application-security-group
    Microsoft.Network/applicationSecurityGroups/read,
    Azure Virtual Network
    azure-network-firewall
    Microsoft.Network/azurefirewalls/read
    Microsoft.insights/diagnosticSettings/read
    Azure Virtual Network
    azure-network-usage
    Microsoft.Network/locations/usages/read
    Azure Virtual Network
    azure-network-public-ip-address
    Microsoft.Network/publicIPAddresses/read
    Microsoft.insights/diagnosticSettings/read
    Azure Virtual Network
    azure-ddos-protection-plan
    Microsoft.Network/ddosProtectionPlans/read
    Azure Virtual Network
    azure-network-firewall-policy
    Microsoft.Network/firewallPolicies/read
    Azure Virtual Network
    azure-bastion-host
    Microsoft.Network/bastionHosts/read
    Azure Virtual Network
    azure-bastion-diagnostic-settings
    Microsoft.Network/bastionHosts/read
    Microsoft.Insights/DiagnosticSettings/Read
    Azure Virtual Network
    azure-private-link-service
    Microsoft.Network/privateLinkServices/read
    Azure Virtual Network
    azure-network-natgateway
    Microsoft.Network/natGateways/read
    Azure Virtual Network
    azure-vmss-instance-public-ips
    Microsoft.Compute/virtualMachineScaleSets/read
    Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read
    Azure Virtual Network
    azure-vmss-network-interface
    Microsoft.Compute/virtualMachineScaleSets/read
    Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read
    Azure Virtual Network
    azure-network-effective-nsg
    Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action
    Azure Virtual Network
    azure-network-effective-route-table
    Microsoft.Network/networkInterfaces/effectiveRouteTable/action
    Azure Virtual Network
    azure-network-public-ip-prefixes
    Microsoft.Network/publicIPPrefixes/read
    Azure Virtual Network
    azure-network-service-endpoint-policy
    Microsoft.Network/serviceEndpointPolicies/read
    Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions/read
    Azure Virtual Network
    azure-network-private-endpoint
    Microsoft.Network/privateEndpoints/read
    Azure Virtual Network Gateway
    azure-virtual-network-gateway
    Microsoft.Network/virtualNetworkGateways/read
    Azure Virtual WAN
    azure-virtual-wan-list
    Microsoft.Network/virtualWans/read
    Azure Virtual WAN
    azure-vpn-server-configurations
    Microsoft.Network/vpnServerConfigurations/read
    Azure Virtual WAN
    azure-p2s-vpn-gateway
    Microsoft.Network/p2sVpnGateways/read
    Azure Visual Studio
    azure-visual-studio-accounts
    Microsoft.VisualStudio/account/read
    Azure VPN Gateway
    azure-network-vpn-connection-list
    Microsoft.Network/virtualNetworkGateways/read
    Microsoft.network/virtualnetworkgateways/connections/read
    Microsoft.Network/virtualwans/vpnconfiguration/action
    Azure Web Application Firewall
    azure-frontdoor-waf-policy
    Microsoft.Network/frontDoorWebApplicationFirewallPolicies/read
    Azure Web Application Firewall
    azure-application-gateway-waf-policy
    Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read
    Azure Web PubSub Service
    azure-signalrservice-web-pub-sub
    Microsoft.SignalRService/WebPubSub/read
    Azure Workloads
    azure-workloads-monitors
    Microsoft.Workloads/monitors/read

    Azure Feature Permissions

    Feature
    Permissions
    Workload Discovery
    Microsoft.ContainerRegistry/registries/read
    Microsoft.ContainerRegistry/registries/metadata/read
    Microsoft.ContainerRegistry/registries/pull/read
    Microsoft.ContainerService/managedClusters/read
    Microsoft.Web/sites/Read
    Microsoft.ContainerInstance/containerGroups/read
    Microsoft.ContainerInstance/containerGroups/containers/exec/action
    Microsoft.Compute/virtualMachines/read
    Microsoft.Compute/hostGroups/read
    Threat Detection
    Audit Logs
    Microsoft.Insights/ActivityLogAlerts/read
    Flow Logs
    Microsoft.Storage/storageAccounts/read
    Microsoft.Storage/storageAccounts/listKeys/action
    Microsoft.Network/networkInterfaces/read
    Microsoft.Network/networkSecurityGroups/read
    Microsoft.Network/networkWatchers/read
    Microsoft.Network/networkWatchers/securityGroupView/action
    Microsoft.Network/networkWatchers/queryFlowLogStatus/*
    Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action
    Microsoft.Network/virtualwans/vpnconfiguration/action
    Agentless Workload Scanning
    Microsoft.Resources/subscriptions/resourceGroups/read
    Microsoft.Resources/subscriptions/resourceGroups/write
    Microsoft.Network/networkInterfaces/read
    Microsoft.Network/networkInterfaces/write
    Microsoft.Network/networkInterfaces/delete
    Microsoft.Network/networkInterfaces/join/action
    Microsoft.Network/networkSecurityGroups/read
    Microsoft.Network/networkSecurityGroups/write
    Microsoft.Network/networkSecurityGroups/delete
    Microsoft.Network/networkSecurityGroups/join/action
    Microsoft.Network/virtualNetworks/read
    Microsoft.Network/virtualNetworks/write
    Microsoft.Network/virtualNetworks/delete
    Microsoft.Network/virtualNetworks/subnets/read
    Microsoft.Network/virtualNetworks/subnets/join/action
    Microsoft.Compute/disks/read
    Microsoft.Compute/disks/write
    Microsoft.Compute/disks/delete
    Microsoft.Compute/disks/beginGetAccess/action
    Microsoft.Compute/snapshots/read
    Microsoft.Compute/snapshots/write
    Microsoft.Compute/snapshots/delete
    Microsoft.Compute/virtualMachines/read
    Microsoft.Compute/virtualMachines/write
    Microsoft.Compute/virtualMachines/delete
    Microsoft.Compute/virtualMachines/instanceView/read
    Microsoft.Compute/virtualMachineScaleSets/read
    Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read
    Serverless Function Scanning
    Microsoft.Web/sites/read
    Microsoft.Web/sites/config/list/action
    Microsoft.web/sites/functions/action
    Microsoft.web/sites/functions/read
    Microsoft.Web/sites/publishxml/action
    Agent Based Workload Scanning
    Microsoft.Compute/virtualMachines/runCommand/action
    Microsoft.Compute/locations/operations/read
    Microsoft.Resources/subscriptions/locations/read
    Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read
    Microsoft.Compute/images/read
    Microsoft.Compute/galleries/read
    Microsoft.Compute/galleries/images/read
    Microsoft.Compute/galleries/images/versions/read
    Microsoft.Resources/subscriptions/resourceGroups/read
    Microsoft.Resources/subscriptions/resourceGroups/write
    Microsoft.Resources/subscriptions/resourceGroups/delete
    Microsoft.Network/networkSecurityGroups/read
    Microsoft.Network/networkSecurityGroups/write
    Microsoft.Network/networkSecurityGroups/join/action
    Microsoft.Network/networkSecurityGroups/delete
    Microsoft.Network/networkInterfaces/read
    Microsoft.Network/networkInterfaces/write
    Microsoft.Network/networkInterfaces/join/action
    Microsoft.Network/networkInterfaces/delete
    Microsoft.Compute/disks/write
    Microsoft.Compute/disks/delete
    Microsoft.Network/virtualNetworks/subnets/read
    Microsoft.Network/virtualNetworks/subnets/join/action
    Microsoft.Compute/virtualMachines/read
    Microsoft.Compute/virtualMachines/write
    Microsoft.Compute/virtualMachines/start/action
    Microsoft.Compute/virtualMachines/delete
    Built in Role: Key Vault Crypto Service Encryption User
    Remediation
    Microsoft.Web/sites/Write
    Microsoft.KeyVault/vaults/read
    Microsoft.Insights/LogProfiles/read
    Microsoft.Insights/LogProfiles/Write
    Microsoft.Insights/LogProfiles/Delete
    Microsoft.DBforPostgreSQL/servers/configurations/read
    Microsoft.DBforPostgreSQL/servers/configurations/write
    Microsoft.DBforMySQL/flexibleServers/configurations/write
    Microsoft.Sql/servers/databases/securityAlertPolicies/read
    Microsoft.Sql/servers/databases/securityAlertPolicies/write
    Microsoft.Web/sites/config/Write
    Microsoft.Storage/storageAccounts/write
    Microsoft.Authorization/policyAssignments/read
    Microsoft.Authorization/policyAssignments/write
    Microsoft.Authorization/policyAssignments/delete
    Microsoft.Sql/servers/databases/transparentDataEncryption/read
    Microsoft.Sql/servers/databases/transparentDataEncryption/write
    Microsoft.Network/networkSecurityGroups/securityRules/read
    Microsoft.Network/networkSecurityGroups/securityRules/write
    Microsoft.Network/networkSecurityGroups/securityRules/delete
    Microsoft.Security/autoProvisioningSettings/read
    Microsoft.Security/autoProvisioningSettings/write
    Microsoft.Storage/storageAccounts/*

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.