Microsoft Azure API Ingestions and Required Permissions
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Prisma Cloud
- Prisma Cloud License Types
- Prisma Cloud—How it Works
- Get Prisma Cloud From the AWS Marketplace
- Get Prisma Cloud From the GCP Marketplace
- Access Prisma Cloud
- Prisma Cloud—First Look
- Prisma Cloud—Next Steps
- Enable Access to the Prisma Cloud Console
- Access the Prisma Cloud REST API
- Prisma Cloud FAQs
-
- Cloud Account Onboarding
-
- Onboard Your AWS Organization
- Onboard Your AWS Account
- Configure Audit Logs
- Configure Flow Logs
- Configure Data Security
- Configure DNS Logs
- Configure Findings
- Update an Onboarded AWS Organization
- Add AWS Member Accounts on Prisma Cloud
- Update an Onboarded AWS Account
- Update an Onboarded AWS Account to AWS Organization
- AWS APIs Ingested by Prisma Cloud
- Troubleshoot AWS Onboarding Errors
- Prisma Cloud on AWS China
- Manually Set Up Prisma Cloud Role for AWS Accounts
- Automate AWS Cloud Accounts Onboarding
-
- Connect your Azure Account
- Connect your Azure Tenant
- Connect an Azure Subscription
- Connect an Azure Active Directory Tenant
- Authorize Prisma Cloud to access Azure APIs
- Update Azure Application Permissions
- View and Edit a Connected Azure Account
- Troubleshoot Azure Account Onboarding
- Microsoft Azure API Ingestions and Required Permissions
-
- Prerequisites to Onboard GCP Organizations and Projects
- Onboard Your GCP Organization
- Onboard Your GCP Projects
- Flow Logs Compression on GCP
- Enable Flow Logs for GCP Organization
- Enable Flow Logs for GCP Project
- Update an Onboarded GCP Account
- Create a Service Account With a Custom Role
- GCP API Ingestions
- Cloud Service Provider Regions on Prisma Cloud
-
- Prisma Cloud Administrator Roles
- Create and Manage Account Groups on Prisma Cloud
- Create Prisma Cloud Roles
- Create Custom Prisma Cloud Roles
- Prisma Cloud Administrator Permissions
- Manage Roles in Prisma Cloud
- Add Administrative Users On Prisma Cloud
- Add Service Accounts On Prisma Cloud
- Create and Manage Access Keys
- Manage your Prisma Cloud Profile
-
- Get Started
- Set up ADFS SSO on Prisma Cloud
- Set up Azure AD SSO on Prisma Cloud
- Set up Google SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Google
- Set up Okta SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Okta
- Set up OneLogin SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on OneLogin
- View and Forward Audit Logs
- Define Prisma Cloud Enterprise and Anomaly Settings
- Add a Resource List on Prisma Cloud
- Adoption Advisor
-
- Prisma Cloud Alerts and Notifications
- Trusted IP Addresses on Prisma Cloud
- Enable Prisma Cloud Alerts
- Create an Alert Rule for Run-Time Checks
- Configure Prisma Cloud to Automatically Remediate Alerts
- Send Prisma Cloud Alert Notifications to Third-Party Tools
- View and Respond to Prisma Cloud Alerts
- Suppress Alerts for Prisma Cloud Anomaly Policies
- Generate Reports on Prisma Cloud Alerts
- Alert Payload
- Prisma Cloud Alert Resolution Reasons
- Alert Notifications on State Change
- Create Views
-
- Prisma Cloud Integrations
- Integrate Prisma Cloud with Amazon GuardDuty
- Integrate Prisma Cloud with Amazon Inspector
- Integrate Prisma Cloud with Amazon S3
- Integrate Prisma Cloud with AWS Security Hub
- Integrate Prisma Cloud with Amazon SQS
- Integrate Prisma Cloud with Azure Service Bus Queue
- Integrate Prisma Cloud with Cortex XSOAR
- Integrate Prisma Cloud with Google Cloud Security Command Center (SCC)
- Integrate Prisma Cloud with Jira
- Integrate Prisma Cloud with Microsoft Teams
- Integrate Prisma Cloud with PagerDuty
- Integrate Prisma Cloud with Qualys
- Integrate Prisma Cloud with ServiceNow
- Integrate Prisma Cloud with Slack
- Integrate Prisma Cloud with Splunk
- Integrate Prisma Cloud with Tenable
- Integrate Prisma Cloud with Webhooks
- Prisma Cloud Integrations—Supported Capabilities
-
- What is Prisma Cloud IAM Security?
- Enable IAM Security
- Investigate IAM Incidents on Prisma Cloud
- Cloud Identity Inventory
- Create an IAM Policy
- Integrate Prisma Cloud with IdP Services
- Integrate Prisma Cloud with Okta
- Integrate Prisma Cloud with AWS IAM Identity Center
- Remediate Alerts for IAM Security
- Context Used to Calculate Effective Permissions
Microsoft Azure API Ingestions and Required Permissions
Reference the table below to identify the Azure APIs ingested by Prisma Cloud. The table also lists all the required permissions for each Azure service.
Misconfiguration Feature Permissions and APIs
Service | API Name | Permissions |
---|---|---|
Azure Active Directory | azure-active-directory-user | User.Read.All |
Azure Active Directory | azure-active-directory-conditional-access-policy | Policy.Read.All |
Azure Active Directory | azure-active-directory-named-location | Policy.Read.All |
Azure Active Directory | azure-active-directory-group | GroupMember.Read.All Group.Read.All |
Azure Active Directory | azure-active-directory-authorization-policy | Policy.Read.All |
Azure Active Directory | azure-active-directory-credential-user-registration-details | Reports.Read.All |
Azure Active Directory | azure-active-directory-group-settings | Directory.Read.All |
Azure Active Directory | azure-active-directory-enforcement-policy | Policy.Read.All |
Azure Active Directory | azure-active-directory-custom-domain | Domain.Read.All |
Azure Active Directory | azure-active-directory-service-principal-aws-app | Application.Read.All |
Azure Active Directory | azure-active-directory-iam-group | GroupMember.Read.All Group.Read.All |
Azure Active Directory | azure-active-directory-enterprise-applications | Application.Read.All |
Azure Active Directory | azure-active-directory-service-principal-app | Application.Read.All |
Azure Active Directory | azure-active-directory-app-registration | Application.Read.All |
Azure Advisor | azure-advisor-configurations | Microsoft.Advisor/configurations/read |
Azure Analysis Services | azure-analysisservices-servers | Microsoft.AnalysisServices/servers/read |
Azure API Management | azure-api-management-service | Microsoft.ApiManagement/service/read Microsoft.ApiManagement/service/portalsettings/read Microsoft.ApiManagement/service/tenant/read |
Azure App Configuration | azure-appconfiguration-configuration-stores | Microsoft.AppConfiguration/configurationStores/read |
Azure App Service | azure-app-service | Microsoft.Web/sites/read Microsoft.Web/sites/config/read Microsoft.Web/sites/functions/read Microsoft.Web/sites/config/list/read |
Azure App Service | Microsoft.Web/certificates/Read | |
Azure App Service | azure-app-service-domain | Microsoft.DomainRegistration/domains/Read |
Azure App Service | azure-app-service-environment | Microsoft.Web/hostingEnvironments/Read |
Azure App Service | azure-app-service-plan | Microsoft.Web/serverfarms/Read |
Azure App Service | azure-app-service-deployment-slots | Microsoft.Web/sites/slots/Read Microsoft.web/serverfarms/sites/read |
Azure App Service | azure-web-static-sites | Microsoft.Web/staticSites/read |
Azure App Service | azure-app-service-diagnostic-settings | Microsoft.Web/sites/Read Microsoft.Insights/DiagnosticSettings/Read |
Azure Application Gateway | azure-application-gateway | Microsoft.Network/applicationGateways/read |
Azure Application Insights | azure-application-insights-component | Microsoft.Insights/Components/read |
Azure Attestation | azure-attestation-providers | Microsoft.Attestation/attestationProviders/read |
Azure Automanage | azure-automanage-configuration-profiles | Microsoft.Automanage/configurationProfiles/Read |
Azure Automation Accounts | azure-automation-account | Microsoft.Automation/automationAccounts/read, Microsoft.Automation/automationAccounts/variables/read |
Azure Automation Accounts | azure-automation-account-diagnostic-settings | Microsoft.Automation/automationAccounts/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Availability Sets | azure-vm-availability-set | Microsoft.Compute/availabilitySets/read |
Azure Batch Account | azure-batch-account | Microsoft.Batch/batchAccounts/read |
Azure Batch Account | azure-batch-account-diagnostic-settings | Microsoft.Batch/batchAccounts/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Batch Account | azure-batch-account-pool | Microsoft.Batch/batchAccounts/read Microsoft.Batch/batchAccounts/pools/read |
Azure Blueprints | azure-blueprints-list | Microsoft.Blueprint/blueprints/read |
Azure Bot Service | azure-botservice-bots | Microsoft.BotService/botServices/read |
Azure Cache for Redis | azure-cache-redis | Microsoft.Cache/redis/read, Microsoft.Cache/redis/firewallRules/read |
Azure Content Delivery Network | azure-cdn-profile | Microsoft.Cdn/profiles/read |
Azure Content Delivery Network | azure-cdn-endpoint | Microsoft.Cdn/profiles/endpoints/read, Microsoft.Cdn/profiles/endpoints/customdomains/read |
Azure Content Delivery Network | azure-frontdoor-standardpremium-origin-groups | Microsoft.Cdn/profiles/read Microsoft.Cdn/profiles/origingroups/read |
Azure Content Delivery Network | azure-frontdoor-standardpremium-security-policies | Microsoft.Cdn/profiles/read Microsoft.Cdn/profiles/securitypolicies/read |
Azure Chaos Studio | azure-chaos-experiments | Microsoft.Chaos/experiments/read |
Azure Cognitive Services | azure-cognitive-services-account | Microsoft.CognitiveServices/accounts/read |
Azure Cognitive Services | azure-cognitive-search-service-diagnostic-settings | Microsoft.Search/searchServices/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Communication Services | azure-communication-services | Microsoft.Communication/CommunicationServices/Read |
Azure Compute | azure-disk-list | Microsoft.Compute/disks/read |
Azure Compute | azure-virtual-machine-scale-set | Microsoft.Compute/virtualMachineScaleSets/read |
Azure Compute | azure-virtual-machine-scale-set-vm | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read |
Azure Compute | azure-vm-start-time | Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/instanceView/read |
Azure Compute | azure-compute-dedicated-host-groups | Microsoft.Compute/hostGroups/read |
Azure Compute | azure-cloudservices-list | Microsoft.Compute/cloudServices/read |
Azure Compute | azure-cloudservices-roleinstance-publicip | Microsoft.Compute/cloudServices/read Microsoft.Compute/cloudServices/roleInstances/read Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read |
Azure Compute | azure-compute-gallery | Microsoft.Compute/galleries/read |
Azure Compute | azure-compute-gallery-image | Microsoft.Compute/galleries/read Microsoft.Compute/galleries/images/read |
Azure Confidential Ledger | azure-confidential-ledgers | Microsoft.ConfidentialLedger/ledgers/read |
Azure Confluent | azure-confluent-organizations | Microsoft.Confluent/organizations/Read |
Azure Container Apps | azure-app-container-apps | Microsoft.app/containerapps/read |
Azure Container Instances | azure-container-instances-container-group | Microsoft.ContainerInstance/containerGroups/read |
Azure Container Registry | azure-container-registry | Microsoft.ContainerRegistry/registries/read Microsoft.ContainerRegistry/registries/metadata/read Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action Microsoft.insights/diagnosticSettings/read |
Azure Container Registry | azure-container-registry-repository | Microsoft.ContainerInstance/containerGroups/read |
Azure Cosmos DB | azure-cosmos-db | Microsoft.DocumentDB/databaseAccounts/read |
Azure Cosmos DB | azure-documentdb-cassandra-clusters | Microsoft.DocumentDB/cassandraClusters/read |
Azure Cosmos DB | azure-cosmos-db-diagnostic-settings | Microsoft.DocumentDB/databaseAccounts/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Cosmos DB | azure-documentdb-cassandra-clusters-diagnostic-settings | Microsoft.DocumentDB/cassandraClusters/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Data Box Gateway | azure-databox-gateway | Microsoft.DataBoxEdge/dataBoxEdgeDevices/read |
Azure Data Catalog | azure-datacatalog-catalog | Microsoft.DataCatalog/catalogs/read |
Azure Data Factory | azure-data-factory-v1 | Microsoft.DataFactory/datafactories/read |
Azure Data Factory | azure-data-factory-v2 | Microsoft.DataFactory/factories/read |
Azure Data Lake Analytics | azure-data-lake-analytics-account | Microsoft.DataLakeAnalytics/accounts/read Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/read Microsoft.DataLakeAnalytics/accounts/firewallRules/read Microsoft.DataLakeAnalytics/accounts/storageAccounts/read |
Azure Data Lake Analytics | azure-data-lake-analytics-diagnostic-settings | Microsoft.DataLakeAnalytics/accounts/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Data Lake Store Gen1 | azure-data-lake-store-gen1-account | Microsoft.DataLakeStore/accounts/read Microsoft.DataLakeStore/accounts/firewallRules/read Microsoft.DataLakeStore/accounts/trustedIdProviders/read Microsoft.DataLakeStore/accounts/virtualNetworkRules/read |
Azure Data Lake Store Gen1 | azure-data-lake-store-gen1-diagnostic-settings | Microsoft.DataLakeStore/accounts/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Data Share | azure-data-shares-account | Microsoft.DataShare/accounts/read |
Azure Database for MariaDB Server | azure-database-maria-db-server | Microsoft.DBforMariaDB/servers/read |
Azure Database for MariaDB Server | azure-database-maria-db-server-diagnostic-settings | Microsoft.DBforMariaDB/servers/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Database for MySQL | azure-mysql-server | Microsoft.DBforMySQL/servers/read Microsoft.DBforMySQL/servers/firewallRules/read Microsoft.DBforMySQL/servers/virtualNetworkRules/read |
Azure Database for MySQL | azure-mysql-flexible-server | Microsoft.DBforMySQL/flexibleServers/read Microsoft.DBforMySQL/flexibleServers/firewallRules/read Microsoft.DBforMySQL/flexibleServers/configurations/read |
Azure Database for MySQL | azure-mysql-flexible-server-diagnostic-settings | Microsoft.DBforMySQL/flexibleServers/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Database for PostgreSQL | azure-postgresql-server | Microsoft.DBforPostgreSQL/servers/read Microsoft.DBforPostgreSQL/servers/firewallRules/read Microsoft.DBforPostgreSQL/serversv2/firewallRules/read Microsoft.DBforPostgreSQL/servers/configurations/read Microsoft.insights/diagnosticSettings/read |
Azure Database for PostgreSQL | azure-postgresql-flexible-server | Microsoft.DBforPostgreSQL/flexibleServers/read Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read Microsoft.DBforPostgreSQL/flexibleServers/configurations/read |
Azure Database for PostgreSQL | azure-postgresql-flexible-server-diagnostic-settings | Microsoft.DBforPostgreSQL/flexibleServers/read,Microsoft.Insights/DiagnosticSettings/Read |
Azure Database Migration Projects | azure-database-migration-project | Microsoft.DataMigration/services/read |
Azure Databricks | azure-databricks-workspace | Microsoft.Databricks/workspaces/read |
Azure Datadog | azure-datadog-monitors | Microsoft.Datadog/monitors/read |
Azure Defender for Cloud | azure-iot-security-solutions | Microsoft.Security/iotSecuritySolutions/read |
Azure Defender for Cloud | azure-defender-for-cloud-security-contact | Microsoft.Security/securityContacts/read |
Azure Defender for Cloud | azure-defender-for-cloud-setting | Microsoft.Security/settings/read |
Azure Defender for Cloud | azure-defender-for-cloud-workspace-setting | Microsoft.Security/workspaceSettings/read |
Azure Defender for Cloud | azure-defender-for-cloud-automation | Microsoft.Security/automations/read |
Azure Defender for Cloud | azure-defender-for-cloud-location | Microsoft.Security/locations/read |
Azure Defender for Cloud | azure-defender-for-cloud-pricing | Microsoft.Security/pricings/read |
Azure Dev Center | azure-dev-centers | Microsoft.DevCenter/devcenters/read |
Azure Dev Test Labs | azure-devtestlab-global-schedules | Microsoft.DevTestLab/schedules/read |
Azure DevOps | azure-devops-pipelines | Microsoft.DevOps/pipelines/read |
Azure Digital Twins | azure-digital-twins | Microsoft.DigitalTwins/digitalTwinsInstances/read |
Azure DNS | azure-dns-zones | Microsoft.Network/dnsZones/read |
Azure DNS | azure-dns-recordsets | Microsoft.Network/dnsZones/recordsets/read |
Azure Elastic | azure-elastic-monitors | Microsoft.Elastic/monitors/read |
Azure Event Grid | azure-event-grid-domains | Microsoft.EventGrid/domains/read |
Azure Event Grid | azure-event-grid-topic | Microsoft.EventGrid/topics/read |
Azure Event Grid | azure-event-grid-topic-privatelinkresource | Microsoft.EventGrid/topics/read Microsoft.EventGrid/topics/privateLinkResources/read |
Azure Event Grid | azure-event-grid-domains-privatelinkresource | Microsoft.EventGrid/domains/read Microsoft.EventGrid/domains/privateLinkResources/read |
Azure Event Hubs | azure-event-hub-namespace | Microsoft.EventHub/namespaces/read Microsoft.EventHub/namespaces/authorizationRules/read Microsoft.EventHub/namespaces/virtualnetworkrules/read Microsoft.EventHub/namespaces/ipfilterrules/read |
Azure Event Hubs | azure-event-hub | Microsoft.EventHub/namespaces/eventhubs/read Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read |
Azure Event Hubs | azure-event-hub-namespace-private-endpoint-connections | Microsoft.EventHub/Namespaces/PrivateEndpointConnections/read |
Azure Event Hubs | azure-event-hub-cluster | Microsoft.EventHub/clusters/read |
Azure Event Hubs | azure-event-hub-namespace-diagnostic-settings | Microsoft.EventHub/namespaces/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Front Door | azure-frontdoor | Microsoft.Network/frontDoors/read Microsoft.Network/frontDoors/routingRules/read Microsoft.Network/frontDoors/backendPools/read Microsoft.Network/frontDoors/frontendEndpoints/read Microsoft.Network/frontDoors/healthProbeSettings/read Microsoft.Network/frontDoors/loadBalancingSettings/read Microsoft.Network/frontDoors/rulesEngines/read |
Azure HDInsight | azure-hdinsight-cluster | Microsoft.HDInsight/clusters/read |
Azure HDInsight | azure-hdinsight-applications | Microsoft.HDInsight/clusters/read Microsoft.HDInsight/clusters/applications/read |
Azure Health Bot | azure-healthbot-bots | Microsoft.HealthBot/healthBots/Read |
Azure Healthcare Apis | azure-healthcare-apis-workspaces | Microsoft.HealthcareApis/workspaces/read |
Azure HPC Cache | azure-hpc-cache | Microsoft.StorageCache/caches/read Microsoft.StorageCache/Subscription/caches/read |
Azure Hybrid Compute | azure-hybridcompute-machines | Microsoft.HybridCompute/machines/read |
Azure IoT Central | azure-iot-central-apps | Microsoft.IoTCentral/IoTApps/read |
Azure IoT Hub | azure-devices-iot-hub-resource | Microsoft.Devices/iotHubs/Read |
Azure IoT Hub | azure-devices-iot-hub-privatelinkresource | Microsoft.Devices/iotHubs/Read Microsoft.Devices/iotHubs/privateLinkResources/Read |
Azure IoT Hub | azure-devices-iot-hub-resource-diagnostic-settings | Microsoft.Devices/iotHubs/Read Microsoft.Insights/DiagnosticSettings/Read |
Azure Key Vault | azure-key-vault-list | Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/certificates/read Microsoft.KeyVault/vaults/secrets/readMetadata/action Microsoft.insights/diagnosticSettings/read |
Azure Key Vault | azure-key-vault-certificate | Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/certificates/read NOTE: Application certificate read permssion is required, if the application is part of the onboarded account. |
Azure Key Vault | azure-key-vault-privatelinkresource | Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/privateLinkResources/read |
Azure Key Vault | azure-key-vault-diagnostic-settings | Microsoft.KeyVault/vaults/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Key Vault | azure-key-vault-managed-hsms-diagnostic-settings | Microsoft.KeyVault/managedHSMs/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Key Vault | azure-key-vault-managed-hsms | Microsoft.KeyVault/managedHSMs/read |
Azure Kubernetes Service | azure-kubernetes-cluster | Microsoft.ContainerService/managedClusters/read |
Azure Kubernetes Service | azure-kubernetes-cluster-diagnostic-settings | Microsoft.ContainerService/managedClusters/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Kusto | azure-kusto-clusters | Microsoft.Kusto/clusters/read/read |
Azure Lab Services | azure-labservices-labs | Microsoft.LabServices/labs/read |
Azure Load Balancer | azure-network-lb-list | Microsoft.Network/loadBalancers/read Microsoft.insights/diagnosticSettings/read |
Azure Load Testing | azure-loadtest-service-load-tests | Microsoft.LoadTestService/loadTests/read |
Azure Local Network Gateways | azure-local-network-gateways | Microsoft.Network/localnetworkgateways/read |
Azure Log Analytics | azure-log-analytics-workspace | Microsoft.OperationalInsights/workspaces/read |
Azure Log Analytics | azure-log-analytics-linked-storage-accounts | Microsoft.OperationalInsights/workspaces/read Microsoft.OperationalInsights/workspaces/storageinsightconfigs/read |
Azure Logic Apps | azure-logic-app-workflow | Microsoft.Web/customApis |
Azure Logic Apps | azure-logic-app-custom-connector | Microsoft.Web/customApis |
Azure Logic Apps | azure-logic-app-integration-account | Microsoft.Logic/integrationAccounts/read |
Azure Logic Apps | azure-logic-app-workflow-diagnostic-settings | Microsoft.Logic/workflows/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Machine Learning | azure-machine-learning-workspace | Microsoft.MachineLearningServices/workspaces/read |
Azure Managed Applications | azure-solutions-applications | Microsoft.Solutions/applications/read |
Azure Managed Grafana | azure-dashboard-grafana | Microsoft.Dashboard/grafana/read |
Azure Managed Identity | azure-managed-identity-user-assigned-identities | Microsoft.ManagedIdentity/userAssignedIdentities/read |
Azure Managed Services | azure-managedservices-registration-assignments | Microsoft.ManagedServices/registrationAssignments/read |
Azure Management Group | azure-management-group-entities-list | Microsoft.Resources/subscriptions/read Microsoft.Management/managementGroups/descendants/read Microsoft.PowerBIDedicated/capacities/read |
Azure Maps Management | azure-maps-accounts | Microsoft.Maps/accounts/read |
Azure Media Service | azure-media-service-account | Microsoft.Media/mediaservices/read |
Azure Mixed Reality | azure-mixed-reality-object-anchors-accounts | Microsoft.MixedReality/ObjectAnchorsAccounts/read |
Azure Monitor | azure-monitor-log-profiles-list | Microsoft.Insights/LogProfiles/read |
Azure Monitor | azure-activity-log-alerts | Microsoft.Insights/ActivityLogAlerts/read |
Azure NetApp Files | azure-netappfiles-account | Microsoft.NetApp/netAppAccounts/read |
Azure Network Function | azure-network-function-traffic-collectors | Microsoft.NetworkFunction/azureTrafficCollectors/read |
Azure Network Watcher | azure-network-watcher-list | Microsoft.Network/networkWatchers/read Microsoft.Network/networkWatchers/securityGroupView/action Microsoft.Network/networkWatchers/queryFlowLogStatus/action |
Azure Notification Hubs | azure-notification-hub-namespace | Microsoft.NotificationHubs/Namespaces/read |
Azure Notification Hubs | azure-notification-hub | Microsoft.NotificationHubs/Namespaces/NotificationHubs/read |
Azure Orbital | azure-orbital-spacecrafts | Microsoft.Orbital/spacecrafts/read |
Azure Policy | azure-policy-assignments | Microsoft.Authorization/policyAssignments/read |
Azure Policy | azure-policy-definition | Microsoft.Authorization/policyDefinitions/read |
Azure Power BI Embedded | azure-powerbi-dedicated-capacities | Microsoft.PowerBIDedicated/servers/read Microsoft.PowerBIDedicated/capacities/read |
Azure Purview | azure-purview-account | Microsoft.Purview/accounts/read Microsoft.Purview/getDefaultAccount/read Microsoft.Purview/accounts/privateEndpointConnections/read |
Azure Purview | azure-purview-default-account | Microsoft.Purview/accounts/read Microsoft.Purview/getDefaultAccount/read Microsoft.Resources/subscriptions/read |
Azure Purview | azure-purview-privatelinkresource | Microsoft.Purview/accounts/privatelinkresources/read |
Azure Quantum | azure-quantum-workspace | Microsoft.Quantum/Workspaces/Read |
Azure Recovery Services | azure-recovery-service-vault | Microsoft.RecoveryServices/Vaults/read |
Azure Recovery Services | azure-recovery-service-backup-protected-item | Microsoft.RecoveryServices/Vaults/backupProtectedItems/read |
Azure Recovery Services | azure-recovery-service-vault-diagnostic-settings | Microsoft.RecoveryServices/Vaults/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Red Hat OpenShift | azure-redhat-openshift-cluster | Microsoft.RedHatOpenShift/openShiftClusters/read |
Azure Resource Manager | azure-resource-group | Microsoft.Resources/subscriptions/resourceGroups/read |
Azure Resource Manager | azure-role-definition | Microsoft.Authorization/roleDefinitions/read |
Azure Resource Manager | azure-role-assignment | Microsoft.Authorization/roleAssignments/read |
Azure Resource Manager | azure-classic-resource | Microsoft.Authorization/classicAdministrators/read |
Azure Resource Mover | azure-migrate-move-collections | Microsoft.Migrate/moveCollections/read |
Azure Security Center | azure-security-center-settings | Microsoft.Security/autoProvisioningSettings/read Microsoft.Security/pricings/read Microsoft.Security/securityContacts/read Microsoft.Security/settings/read |
Azure Service Bus | azure-service-bus-namespace | Microsoft.ServiceBus/namespaces/read Microsoft.ServiceBus/namespaces/authorizationRules/read Microsoft.ServiceBus/namespaces/providers/Microsoft.Insights/diagnosticSettings/read Microsoft.ServiceBus/namespaces/networkrulesets/read |
Azure Service Bus | azure-service-bus-namespace-private-endpoint-connection | Microsoft.ServiceBus/namespaces/privateEndpointConnections/read |
Azure Service Bus | azure-service-bus-queue | Microsoft.ServiceBus/namespaces/queues/read |
Azure Service Bus | azure-service-bus-topic | Microsoft.ServiceBus/namespaces/topics/read |
Azure Service Bus | azure-service-bus-topic-subscription | Microsoft.ServiceBus/namespaces/topics/subscriptions/read |
Azure Service Fabric | azure-service-fabric-cluster | Microsoft.ServiceFabric/clusters/read |
Azure SignalR Service | azure-signalr | Microsoft.SignalRService/SignalR/read |
Azure Spring Cloud | azure-spring-cloud-service | Microsoft.AppPlatform/Spring/read |
Azure Spring Cloud | azure-spring-cloud-app | Microsoft.AppPlatform/Spring/apps/read |
Azure SQL Database | azure-sql-db-list | Microsoft.Sql/servers/databases/read Microsoft.Sql/servers/databases/securityAlertPolicies/read Microsoft.Sql/servers/databases/transparentDataEncryption/read Microsoft.Sql/servers/databases/auditingSettings/read Microsoft.insights/diagnosticSettings/read |
Azure SQL Database | azure-sql-server-list | Microsoft.Sql/servers/read Microsoft.Sql/servers/securityAlertPolicies/read Microsoft.Sql/servers/auditingSettings/read Microsoft.Sql/servers/administrators/read Microsoft.Sql/servers/encryptionProtector/read Microsoft.Sql/servers/firewallRules/read |
Azure SQL Database | azure-sql-managed-instance | Microsoft.Sql/managedInstances/read |
Azure SQL Database | azure-sql-managed-instance-diagnostic-settings | Microsoft.Sql/managedInstances/read Microsoft.Insights/DiagnosticSettings/Read |
Azure SQL Database | azure-sql-db-diagnostic-settings | Microsoft.Sql/servers/read Microsoft.Sql/servers/databases/read Microsoft.Insights/DiagnosticSettings/Read |
Azure SQL Database | azure-sql-db-long-term-retention-policies | Microsoft.Sql/servers/read Microsoft.Sql/servers/databases/read Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/read |
Azure Stack HCI | azure-azurestackhci-clusters | Microsoft.AzureStackHCI/Clusters/Read |
Azure Storage | azure-storage-account-list | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Storage/storageAccounts/tableServices/read Microsoft.Storage/storageAccounts/queueServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read Microsoft.insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-diagnostic-settings | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Storage/storageAccounts/tableServices/read Microsoft.Storage/storageAccounts/queueServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read Microsoft.insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-table-diagnostic-settings | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/tableServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-queue-diagnostic-settings | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/queueServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-file-diagnostic-settings | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/fileServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-blob-diagnostic-settings | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/blobServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-keys | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/listKeys/action |
Azure Storage | azure-storage-file-shares | Microsoft.Storage/storageAccounts/fileServices/shares/read |
Azure Storage Mover | azure-storage-movers | Microsoft.StorageMover/storageMovers/read |
Azure Storage Sync Services | azure-storage-sync-service | Microsoft.StorageSync/storageSyncServices/read |
Azure Storage Sync Services | azure-storage-sync-service-privatelinkresource | Microsoft.StorageSync/storageSyncServices/read Microsoft.StorageSync/storageSyncServices/privateLinkResources/read |
Azure StorSimple | azure-storsimple-managers | Microsoft.StorSimple/managers/read |
Azure Stream Analytics | azure-streamanalytics-clusters | Microsoft.StreamAnalytics/clusters/Read |
Azure Stream Analytics | azure-streamanalytics-streamingjobs | Microsoft.StreamAnalytics/streamingjobs/Read |
Azure Stream Analytics | azure-streamanalytics-streamingjobs-diagnostic-settings | Microsoft.StreamAnalytics/streamingjobs/Read Microsoft.Insights/DiagnosticSettings/Read |
Azure Subscriptions | azure-subscription-resource-providers-registration-status | Microsoft.Resources/subscriptions/providers/read |
Azure Subscriptions | azure-subscription-tenantpolicy | Microsoft.Subscription/Policies/default/read |
Azure Subscriptions | azure-subscription-list | Microsoft.Resources/subscriptions/read |
Azure Synapse Analytics | azure-synapse-privatelinkhub-privatelinkresource | Microsoft.Synapse/privateLinkHubs/privateLinkResources/read |
Azure Synapse Analytics | azure-synapse-privatelinkresource | Microsoft.Synapse/workspaces/read
Microsoft.Synapse/workspaces/privateLinkResources/read |
Azure Synapse Analytics | azure-synapse-privatelinkhub | Microsoft.Synapse/privateLinkHubs/read |
Azure Synapse Analytics | azure-synapse-spark-configuration | Microsoft.Synapse/workspaces/read
Microsoft.Synapse/workspaces/sparkConfigurations/read |
Azure Synapse Analytics | azure-synapse-workspace | Microsoft.Synapse/workspaces/read |
Azure Synapse Analytics | azure-synapse-workspace-managed-sql-server-vulnerability-assessments | Microsoft.Synapse/workspaces/read Microsoft.Synapse/workspaces/vulnerabilityAssessments/read |
Azure Test Base | azure-test-base-accounts | Microsoft.TestBase/testBaseAccounts/read |
Azure Time Series Insights | azure-timeseriesinsights-environments | Microsoft.TimeSeriesInsights/environments/read |
Azure Traffic Manager | azure-traffic-manager-profile | Microsoft.Network/trafficManagerProfiles/read |
Azure Video Indexer | azure-video-indexer-accounts | Microsoft.VideoIndexer/accounts/read |
Azure Virtual Desktop | azure-virtual-desktop-workspace | Microsoft.DesktopVirtualization/workspaces/read Microsoft.DesktopVirtualization/workspaces/providers/Microsoft.Insights/diagnosticSettings/read |
Azure Virtual Desktop | azure-virtual-desktop-session-host | Microsoft.DesktopVirtualization/hostpools/read Microsoft.DesktopVirtualization/hostpools/sessionhosts/read Microsoft.DesktopVirtualization/hostpools/sessionhostconfigurations/read |
Azure Virtual Network | azure-network-vnet-list | Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read Microsoft.insights/diagnosticSettings/read |
Azure Virtual Network | azure-network-nic-list | Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action |
Azure Virtual Network | azure-network-nsg-list | Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkSecurityGroups/securityRules/read Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read microsoft.insights/diagnosticSettings/read |
Azure Virtual Network | azure-network-subnet-list | Microsoft.Network/virtualNetworks/subnets/read, |
Azure Virtual Network | azure-network-peering | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read |
Azure Virtual Network | azure-network-route-table | Microsoft.Network/routeTables/read Microsoft.Network/routeTables/routes/read |
Azure Virtual Network | azure-network-application-security-group | Microsoft.Network/applicationSecurityGroups/read, |
Azure Virtual Network | azure-network-firewall | Microsoft.Network/azurefirewalls/read Microsoft.insights/diagnosticSettings/read |
Azure Virtual Network | azure-network-usage | Microsoft.Network/locations/usages/read |
Azure Virtual Network | azure-network-public-ip-address | Microsoft.Network/publicIPAddresses/read Microsoft.insights/diagnosticSettings/read |
Azure Virtual Network | azure-ddos-protection-plan | Microsoft.Network/ddosProtectionPlans/read |
Azure Virtual Network | azure-network-firewall-policy | Microsoft.Network/firewallPolicies/read |
Azure Virtual Network | azure-bastion-host | Microsoft.Network/bastionHosts/read |
Azure Virtual Network | azure-bastion-diagnostic-settings | Microsoft.Network/bastionHosts/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Virtual Network | azure-private-link-service | Microsoft.Network/privateLinkServices/read |
Azure Virtual Network | azure-network-natgateway | Microsoft.Network/natGateways/read |
Azure Virtual Network | azure-vmss-instance-public-ips | Microsoft.Compute/virtualMachineScaleSets/read Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read |
Azure Virtual Network | azure-vmss-network-interface | Microsoft.Compute/virtualMachineScaleSets/read Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read |
Azure Virtual Network | azure-network-effective-nsg | Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action |
Azure Virtual Network | azure-network-effective-route-table | Microsoft.Network/networkInterfaces/effectiveRouteTable/action |
Azure Virtual Network | azure-network-public-ip-prefixes | Microsoft.Network/publicIPPrefixes/read |
Azure Virtual Network | azure-network-service-endpoint-policy | Microsoft.Network/serviceEndpointPolicies/read Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions/read |
Azure Virtual Network | azure-network-private-endpoint | Microsoft.Network/privateEndpoints/read |
Azure Virtual Network Gateway | azure-virtual-network-gateway | Microsoft.Network/virtualNetworkGateways/read |
Azure Virtual WAN | azure-virtual-wan-list | Microsoft.Network/virtualWans/read |
Azure Virtual WAN | azure-vpn-server-configurations | Microsoft.Network/vpnServerConfigurations/read |
Azure Virtual WAN | azure-p2s-vpn-gateway | Microsoft.Network/p2sVpnGateways/read |
Azure Visual Studio | azure-visual-studio-accounts | Microsoft.VisualStudio/account/read |
Azure VPN Gateway | azure-network-vpn-connection-list | Microsoft.Network/virtualNetworkGateways/read Microsoft.network/virtualnetworkgateways/connections/read Microsoft.Network/virtualwans/vpnconfiguration/action |
Azure Web Application Firewall | azure-frontdoor-waf-policy | Microsoft.Network/frontDoorWebApplicationFirewallPolicies/read |
Azure Web Application Firewall | azure-application-gateway-waf-policy | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read |
Azure Web PubSub Service | azure-signalrservice-web-pub-sub | Microsoft.SignalRService/WebPubSub/read |
Azure Workloads | azure-workloads-monitors | Microsoft.Workloads/monitors/read |
Azure Feature Permissions
Feature | Permissions |
---|---|
Workload Discovery | Microsoft.ContainerRegistry/registries/read |
Microsoft.ContainerRegistry/registries/metadata/read | |
Microsoft.ContainerRegistry/registries/pull/read | |
Microsoft.ContainerService/managedClusters/read | |
Microsoft.Web/sites/Read | |
Microsoft.ContainerInstance/containerGroups/read | |
Microsoft.ContainerInstance/containerGroups/containers/exec/action | |
Microsoft.Compute/virtualMachines/read | |
Microsoft.Compute/hostGroups/read | |
Threat Detection | Audit Logs |
Microsoft.Insights/ActivityLogAlerts/read | |
Flow Logs | |
Microsoft.Storage/storageAccounts/read | |
Microsoft.Storage/storageAccounts/listKeys/action | |
Microsoft.Network/networkInterfaces/read | |
Microsoft.Network/networkSecurityGroups/read | |
Microsoft.Network/networkWatchers/read | |
Microsoft.Network/networkWatchers/securityGroupView/action | |
Microsoft.Network/networkWatchers/queryFlowLogStatus/* | |
Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action | |
Microsoft.Network/virtualwans/vpnconfiguration/action | |
Agentless Workload Scanning | Microsoft.Resources/subscriptions/resourceGroups/read |
Microsoft.Resources/subscriptions/resourceGroups/write | |
Microsoft.Network/networkInterfaces/read | |
Microsoft.Network/networkInterfaces/write | |
Microsoft.Network/networkInterfaces/delete | |
Microsoft.Network/networkInterfaces/join/action | |
Microsoft.Network/networkSecurityGroups/read | |
Microsoft.Network/networkSecurityGroups/write | |
Microsoft.Network/networkSecurityGroups/delete | |
Microsoft.Network/networkSecurityGroups/join/action | |
Microsoft.Network/virtualNetworks/read | |
Microsoft.Network/virtualNetworks/write | |
Microsoft.Network/virtualNetworks/delete | |
Microsoft.Network/virtualNetworks/subnets/read | |
Microsoft.Network/virtualNetworks/subnets/join/action | |
Microsoft.Compute/disks/read | |
Microsoft.Compute/disks/write | |
Microsoft.Compute/disks/delete | |
Microsoft.Compute/disks/beginGetAccess/action | |
Microsoft.Compute/snapshots/read | |
Microsoft.Compute/snapshots/write | |
Microsoft.Compute/snapshots/delete | |
Microsoft.Compute/virtualMachines/read | |
Microsoft.Compute/virtualMachines/write | |
Microsoft.Compute/virtualMachines/delete | |
Microsoft.Compute/virtualMachines/instanceView/read | |
Microsoft.Compute/virtualMachineScaleSets/read | |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | |
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read | |
Serverless Function Scanning | Microsoft.Web/sites/read |
Microsoft.Web/sites/config/list/action | |
Microsoft.web/sites/functions/action | |
Microsoft.web/sites/functions/read | |
Microsoft.Web/sites/publishxml/action | |
Agent Based Workload Scanning | Microsoft.Compute/virtualMachines/runCommand/action |
Microsoft.Compute/locations/operations/read | |
Microsoft.Resources/subscriptions/locations/read | |
Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read | |
Microsoft.Compute/images/read | |
Microsoft.Compute/galleries/read | |
Microsoft.Compute/galleries/images/read | |
Microsoft.Compute/galleries/images/versions/read | |
Microsoft.Resources/subscriptions/resourceGroups/read | |
Microsoft.Resources/subscriptions/resourceGroups/write | |
Microsoft.Resources/subscriptions/resourceGroups/delete | |
Microsoft.Network/networkSecurityGroups/read | |
Microsoft.Network/networkSecurityGroups/write | |
Microsoft.Network/networkSecurityGroups/join/action | |
Microsoft.Network/networkSecurityGroups/delete | |
Microsoft.Network/networkInterfaces/read | |
Microsoft.Network/networkInterfaces/write | |
Microsoft.Network/networkInterfaces/join/action | |
Microsoft.Network/networkInterfaces/delete | |
Microsoft.Compute/disks/write | |
Microsoft.Compute/disks/delete | |
Microsoft.Network/virtualNetworks/subnets/read | |
Microsoft.Network/virtualNetworks/subnets/join/action | |
Microsoft.Compute/virtualMachines/read | |
Microsoft.Compute/virtualMachines/write | |
Microsoft.Compute/virtualMachines/start/action | |
Microsoft.Compute/virtualMachines/delete | |
Built in Role: Key Vault Crypto Service Encryption User | |
Remediation | Microsoft.Web/sites/Write |
Microsoft.KeyVault/vaults/read | |
Microsoft.Insights/LogProfiles/read | |
Microsoft.Insights/LogProfiles/Write | |
Microsoft.Insights/LogProfiles/Delete | |
Microsoft.DBforPostgreSQL/servers/configurations/read | |
Microsoft.DBforPostgreSQL/servers/configurations/write | |
Microsoft.DBforMySQL/flexibleServers/configurations/write | |
Microsoft.Sql/servers/databases/securityAlertPolicies/read | |
Microsoft.Sql/servers/databases/securityAlertPolicies/write | |
Microsoft.Web/sites/config/Write | |
Microsoft.Storage/storageAccounts/write | |
Microsoft.Authorization/policyAssignments/read | |
Microsoft.Authorization/policyAssignments/write | |
Microsoft.Authorization/policyAssignments/delete | |
Microsoft.Sql/servers/databases/transparentDataEncryption/read | |
Microsoft.Sql/servers/databases/transparentDataEncryption/write | |
Microsoft.Network/networkSecurityGroups/securityRules/read | |
Microsoft.Network/networkSecurityGroups/securityRules/write | |
Microsoft.Network/networkSecurityGroups/securityRules/delete | |
Microsoft.Security/autoProvisioningSettings/read | |
Microsoft.Security/autoProvisioningSettings/write | |
Microsoft.Storage/storageAccounts/* |