Microsoft Azure API Ingestions and Required Permissions
Reference the table below to identify the Azure APIs ingested by Prisma Cloud. The table also lists all the required permissions for each Azure service.
Misconfiguration Feature Permissions and APIs
Service | API Name | Permissions |
|---|---|---|
Azure Active Directory | azure-active-directory-user | User.Read.All |
Azure Active Directory | azure-active-directory-conditional-access-policy | Policy.Read.All |
Azure Active Directory | azure-active-directory-named-location | Policy.Read.All |
Azure Active Directory | azure-active-directory-group | GroupMember.Read.All Group.Read.All |
Azure Active Directory | azure-active-directory-authorization-policy | Policy.Read.All |
Azure Active Directory | azure-active-directory-credential-user-registration-details | Reports.Read.All |
Azure Active Directory | azure-active-directory-group-settings | Directory.Read.All |
Azure Active Directory | azure-active-directory-enforcement-policy | Policy.Read.All |
Azure Active Directory | azure-active-directory-custom-domain | Domain.Read.All |
Azure Active Directory | azure-active-directory-service-principal-aws-app | Application.Read.All |
Azure Active Directory | azure-active-directory-iam-group | GroupMember.Read.All Group.Read.All |
Azure Active Directory | azure-active-directory-enterprise-applications | Application.Read.All |
Azure Active Directory | azure-active-directory-service-principal-app | Application.Read.All |
Azure Active Directory | azure-active-directory-app-registration | Application.Read.All |
Azure Advisor | azure-advisor-configurations | Microsoft.Advisor/configurations/read |
Azure Analysis Services | azure-analysisservices-servers | Microsoft.AnalysisServices/servers/read |
Azure API Management | azure-api-management-service | Microsoft.ApiManagement/service/read Microsoft.ApiManagement/service/portalsettings/read Microsoft.ApiManagement/service/tenant/read |
Azure App Configuration | azure-appconfiguration-configuration-stores | Microsoft.AppConfiguration/configurationStores/read |
Azure App Service | azure-app-service | Microsoft.Web/sites/read Microsoft.Web/sites/config/read Microsoft.Web/sites/functions/read Microsoft.Web/sites/config/list/read |
Azure App Service | Microsoft.Web/certificates/Read | |
Azure App Service | azure-app-service-domain | Microsoft.DomainRegistration/domains/Read |
Azure App Service | azure-app-service-environment | Microsoft.Web/hostingEnvironments/Read |
Azure App Service | azure-app-service-plan | Microsoft.Web/serverfarms/Read |
Azure App Service | azure-app-service-deployment-slots | Microsoft.Web/sites/slots/Read Microsoft.web/serverfarms/sites/read |
Azure App Service | azure-web-static-sites | Microsoft.Web/staticSites/read |
Azure App Service | azure-app-service-diagnostic-settings | Microsoft.Web/sites/Read Microsoft.Insights/DiagnosticSettings/Read |
Azure Application Gateway | azure-application-gateway | Microsoft.Network/applicationGateways/read |
Azure Application Insights | azure-application-insights-component | Microsoft.Insights/Components/read |
Azure Attestation | azure-attestation-providers | Microsoft.Attestation/attestationProviders/read |
Azure Automanage | azure-automanage-configuration-profiles | Microsoft.Automanage/configurationProfiles/Read |
Azure Automation Accounts | azure-automation-account | Microsoft.Automation/automationAccounts/read, Microsoft.Automation/automationAccounts/variables/read |
Azure Automation Accounts | azure-automation-account-diagnostic-settings | Microsoft.Automation/automationAccounts/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Availability Sets | azure-vm-availability-set | Microsoft.Compute/availabilitySets/read |
Azure Batch Account | azure-batch-account | Microsoft.Batch/batchAccounts/read |
Azure Batch Account | azure-batch-account-diagnostic-settings | Microsoft.Batch/batchAccounts/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Batch Account | azure-batch-account-pool | Microsoft.Batch/batchAccounts/read Microsoft.Batch/batchAccounts/pools/read |
Azure Blueprint | azure-blueprints-list | Microsoft.Blueprint/blueprints/read |
Azure Bot Service | azure-botservice-bots | Microsoft.BotService/botServices/read |
Azure Cache | azure-cache-redis | Microsoft.Cache/redis/read, Microsoft.Cache/redis/firewallRules/read |
Azure CDN | azure-cdn-profile | Microsoft.Cdn/profiles/read |
Azure CDN | azure-cdn-endpoint | Microsoft.Cdn/profiles/endpoints/read, Microsoft.Cdn/profiles/endpoints/customdomains/read |
Azure CDN | azure-frontdoor-standardpremium-origin-groups | Microsoft.Cdn/profiles/read Microsoft.Cdn/profiles/origingroups/read |
Azure CDN | azure-frontdoor-standardpremium-security-policies | Microsoft.Cdn/profiles/read Microsoft.Cdn/profiles/securitypolicies/read |
Azure Chaos Studio | azure-chaos-experiments | Microsoft.Chaos/experiments/read |
Azure Cognitive Services | azure-cognitive-services-account | Microsoft.CognitiveServices/accounts/read |
Azure Cognitive Services | azure-cognitive-search-service-diagnostic-settings | Microsoft.Search/searchServices/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Communication | azure-communication-services | Microsoft.Communication/CommunicationServices/Read |
Azure Compute | azure-disk-list | Microsoft.Compute/disks/read |
Azure Compute | azure-virtual-machine-scale-set | Microsoft.Compute/virtualMachineScaleSets/read |
Azure Compute | azure-virtual-machine-scale-set-vm | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read |
Azure Compute | azure-vm-start-time | Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/instanceView/read |
Azure Compute | azure-compute-dedicated-host-groups | Microsoft.Compute/hostGroups/read |
Azure Compute | azure-cloudservices-list | Microsoft.Compute/cloudServices/read |
Azure Compute | azure-cloudservices-roleinstance-publicip | Microsoft.Compute/cloudServices/read Microsoft.Compute/cloudServices/roleInstances/read Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read |
Azure Compute | azure-compute-gallery | Microsoft.Compute/galleries/read |
Azure Compute | azure-compute-gallery-image | Microsoft.Compute/galleries/read Microsoft.Compute/galleries/images/read |
Azure Confidential Ledger | azure-confidential-ledgers | Microsoft.ConfidentialLedger/ledgers/read |
Azure Confluent | azure-confluent-organizations | Microsoft.Confluent/organizations/Read |
Azure Container Apps | azure-app-container-apps | Microsoft.app/containerapps/read |
Azure Container Instances | azure-container-instances-container-group | Microsoft.ContainerInstance/containerGroups/read |
Azure Container Registry | azure-container-registry | Microsoft.ContainerRegistry/registries/read Microsoft.ContainerRegistry/registries/metadata/read Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action Microsoft.insights/diagnosticSettings/read |
Azure Container Registry | azure-container-registry-repository | Microsoft.ContainerInstance/containerGroups/read |
Azure Cosmos DB | azure-cosmos-db | Microsoft.DocumentDB/databaseAccounts/read |
Azure Cosmos DB | azure-documentdb-cassandra-clusters | Microsoft.DocumentDB/cassandraClusters/read |
Azure Cosmos DB | azure-cosmos-db-diagnostic-settings | Microsoft.DocumentDB/databaseAccounts/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Cosmos DB | azure-documentdb-cassandra-clusters-diagnostic-settings | Microsoft.DocumentDB/cassandraClusters/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Data Box Gateway | azure-databox-gateway | Microsoft.DataBoxEdge/dataBoxEdgeDevices/read |
Azure Data Catalog | azure-datacatalog-catalog | Microsoft.DataCatalog/catalogs/read |
Azure Data Factory | azure-data-factory-v1 | Microsoft.DataFactory/datafactories/read |
Azure Data Factory | azure-data-factory-v2 | Microsoft.DataFactory/factories/read |
Azure Data Lake Analytics | azure-data-lake-analytics-account | Microsoft.DataLakeAnalytics/accounts/read Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/read Microsoft.DataLakeAnalytics/accounts/firewallRules/read Microsoft.DataLakeAnalytics/accounts/storageAccounts/read |
Azure Data Lake Analytics | azure-data-lake-analytics-diagnostic-settings | Microsoft.DataLakeAnalytics/accounts/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Data Lake Store Gen1 | azure-data-lake-store-gen1-account | Microsoft.DataLakeStore/accounts/read Microsoft.DataLakeStore/accounts/firewallRules/read Microsoft.DataLakeStore/accounts/trustedIdProviders/read Microsoft.DataLakeStore/accounts/virtualNetworkRules/read |
Azure Data Shares | azure-data-shares-account | Microsoft.DataShare/accounts/read |
Azure Database for MariaDB Server | azure-database-maria-db-server | Microsoft.DBforMariaDB/servers/read |
Azure Database for MariaDB Server | azure-database-maria-db-server-diagnostic-settings | Microsoft.DBforMariaDB/servers/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Database for MySQL | azure-mysql-server | Microsoft.DBforMySQL/servers/read Microsoft.DBforMySQL/servers/firewallRules/read Microsoft.DBforMySQL/servers/virtualNetworkRules/read |
Azure Database for MySQL | azure-mysql-flexible-server | Microsoft.DBforMySQL/flexibleServers/read Microsoft.DBforMySQL/flexibleServers/firewallRules/read Microsoft.DBforMySQL/flexibleServers/configurations/read |
Azure Database for MySQL | azure-mysql-flexible-server-diagnostic-settings | Microsoft.DBforMySQL/flexibleServers/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Database for PostgreSQL | azure-postgresql-server | Microsoft.DBforPostgreSQL/servers/read Microsoft.DBforPostgreSQL/servers/firewallRules/read Microsoft.DBforPostgreSQL/serversv2/firewallRules/read Microsoft.DBforPostgreSQL/servers/configurations/read Microsoft.insights/diagnosticSettings/read |
Azure Database for PostgreSQL | azure-postgresql-flexible-server | Microsoft.DBforPostgreSQL/flexibleServers/read Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read Microsoft.DBforPostgreSQL/flexibleServers/configurations/read |
Azure Database for PostgreSQL | azure-postgresql-flexible-server-diagnostic-settings | Microsoft.DBforPostgreSQL/flexibleServers/read,Microsoft.Insights/DiagnosticSettings/Read |
Azure Database Migration Projects | azure-database-migration-project | Microsoft.DataMigration/services/read |
Azure Databricks | azure-databricks-workspace | Microsoft.Databricks/workspaces/read |
Azure Datadog | azure-datadog-monitors | Microsoft.Datadog/monitors/read |
Azure Defender for Cloud | azure-iot-security-solutions | Microsoft.Security/iotSecuritySolutions/read |
Azure Defender for Cloud | azure-defender-for-cloud-security-contact | Microsoft.Security/securityContacts/read |
Azure Defender for Cloud | azure-defender-for-cloud-setting | Microsoft.Security/settings/read |
Azure Defender for Cloud | azure-defender-for-cloud-workspace-setting | Microsoft.Security/workspaceSettings/read |
Azure Defender for Cloud | azure-defender-for-cloud-automation | Microsoft.Security/automations/read |
Azure Defender for Cloud | azure-defender-for-cloud-location | Microsoft.Security/locations/read |
Azure Defender for Cloud | azure-defender-for-cloud-pricing | Microsoft.Security/pricings/read |
Azure Dev Center | azure-dev-centers | Microsoft.DevCenter/devcenters/read |
Azure Dev Test Labs | azure-devtestlab-global-schedules | Microsoft.DevTestLab/schedules/read |
Azure DevOps | azure-devops-pipelines | Microsoft.DevOps/pipelines/read |
Azure Digital Twins | azure-digital-twins | Microsoft.DigitalTwins/digitalTwinsInstances/read |
Azure DNS | azure-dns-zones | Microsoft.Network/dnsZones/read |
Azure DNS | azure-dns-recordsets | Microsoft.Network/dnsZones/recordsets/read |
Azure Elastic | azure-elastic-monitors | Microsoft.Elastic/monitors/read |
Azure Event Grid | azure-event-grid-domains | Microsoft.EventGrid/domains/read |
Azure Event Grid | azure-event-grid-topic | Microsoft.EventGrid/topics/read |
Azure Event Grid | azure-event-grid-topic-privatelinkresource | Microsoft.EventGrid/topics/read Microsoft.EventGrid/topics/privateLinkResources/read |
Azure Event Grid | azure-event-grid-domains-privatelinkresource | Microsoft.EventGrid/domains/read Microsoft.EventGrid/domains/privateLinkResources/read |
Azure Event Hubs | azure-event-hub-namespace | Microsoft.EventHub/namespaces/read Microsoft.EventHub/namespaces/authorizationRules/read Microsoft.EventHub/namespaces/virtualnetworkrules/read Microsoft.EventHub/namespaces/ipfilterrules/read |
Azure Event Hubs | azure-event-hub | Microsoft.EventHub/namespaces/eventhubs/read Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read |
Azure Event Hubs | azure-event-hub-namespace-private-endpoint-connections | Microsoft.EventHub/Namespaces/PrivateEndpointConnections/read |
Azure Event Hubs | azure-event-hub-cluster | Microsoft.EventHub/clusters/read |
Azure Event Hubs | azure-event-hub-namespace-diagnostic-settings | Microsoft.EventHub/namespaces/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Front Door | azure-frontdoor | Microsoft.Network/frontDoors/read Microsoft.Network/frontDoors/routingRules/read Microsoft.Network/frontDoors/backendPools/read Microsoft.Network/frontDoors/frontendEndpoints/read Microsoft.Network/frontDoors/healthProbeSettings/read Microsoft.Network/frontDoors/loadBalancingSettings/read Microsoft.Network/frontDoors/rulesEngines/read |
Azure HDInsight | azure-hdinsight-cluster | Microsoft.HDInsight/clusters/read |
Azure HDInsight | azure-hdinsight-applications | Microsoft.HDInsight/clusters/read Microsoft.HDInsight/clusters/applications/read |
Azure Health Bot | azure-healthbot-bots | Microsoft.HealthBot/healthBots/Read |
Azure Healthcare Apis | azure-healthcare-apis-workspaces | Microsoft.HealthcareApis/workspaces/read |
Azure HPC Cache | azure-hpc-cache | Microsoft.StorageCache/caches/read Microsoft.StorageCache/Subscription/caches/read |
Azure Hybrid Compute | azure-hybridcompute-machines | Microsoft.HybridCompute/machines/read |
Azure IoT Central | azure-iot-central-apps | Microsoft.IoTCentral/IoTApps/read |
Azure IoT Hub | azure-devices-iot-hub-resource | Microsoft.Devices/iotHubs/Read |
Azure IoT Hub | azure-devices-iot-hub-privatelinkresource | Microsoft.Devices/iotHubs/Read Microsoft.Devices/iotHubs/privateLinkResources/Read |
Azure Key Vault | azure-key-vault-list | Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/certificates/read Microsoft.KeyVault/vaults/secrets/readMetadata/action Microsoft.insights/diagnosticSettings/read |
Azure Key Vault | azure-key-vault-certificate | Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/certificates/read NOTE: Application certificate read permssion is required, if the application is part of the onboarded account. |
Azure Key Vault | azure-key-vault-privatelinkresource | Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/privateLinkResources/read |
Azure Key Vault | azure-key-vault-diagnostic-settings | Microsoft.KeyVault/vaults/read,Microsoft.Insights/DiagnosticSettings/Read |
Azure Kubernetes Service | azure-kubernetes-cluster | Microsoft.ContainerService/managedClusters/read |
Azure Kubernetes Service | azure-kubernetes-cluster-diagnostic-settings | Microsoft.ContainerService/managedClusters/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Kusto | azure-kusto-clusters | Microsoft.Kusto/clusters/read/read |
Azure Lab Services | azure-labservices-labs | Microsoft.LabServices/labs/read |
Azure Load Balancer | azure-network-lb-list | Microsoft.Network/loadBalancers/read Microsoft.insights/diagnosticSettings/read |
Azure Load Testing | azure-loadtest-service-load-tests | Microsoft.LoadTestService/loadTests/read |
Azure Local Network Gateways | azure-local-network-gateways | Microsoft.Network/localnetworkgateways/read |
Azure Log Analytics | azure-log-analytics-workspace | Microsoft.OperationalInsights/workspaces/read |
Azure Logic Apps | azure-logic-app-workflow | Microsoft.Web/customApis |
Azure Logic Apps | azure-logic-app-custom-connector | Microsoft.Web/customApis |
Azure Logic Apps | azure-logic-app-integration-account | Microsoft.Logic/integrationAccounts/read |
Azure Logic Apps | azure-logic-app-workflow-diagnostic-settings | Microsoft.Logic/workflows/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Machine Learning | azure-machine-learning-workspace | Microsoft.MachineLearningServices/workspaces/read |
Azure Managed Applications | azure-solutions-applications | Microsoft.Solutions/applications/read |
Azure Managed Grafana | azure-dashboard-grafana | Microsoft.Dashboard/grafana/read |
Azure Managed Identity | azure-managed-identity-user-assigned-identities | Microsoft.ManagedIdentity/userAssignedIdentities/read |
Azure Managed Services | azure-managedservices-registration-assignments | Microsoft.ManagedServices/registrationAssignments/read |
Azure Management Group | azure-management-group-entities-list | Microsoft.Resources/subscriptions/read Microsoft.Management/managementGroups/descendants/read Microsoft.PowerBIDedicated/capacities/read |
Azure Maps Management | azure-maps-accounts | Microsoft.Maps/accounts/read |
Azure Media Service | azure-media-service-account | Microsoft.Media/mediaservices/read |
Azure Mixed Reality | azure-mixed-reality-object-anchors-accounts | Microsoft.MixedReality/ObjectAnchorsAccounts/read |
Azure Monitor | azure-monitor-log-profiles-list | Microsoft.Insights/LogProfiles/read |
Azure Monitor | azure-activity-log-alerts | Microsoft.Insights/ActivityLogAlerts/read |
Azure NetApp Files | azure-netappfiles-account | Microsoft.NetApp/netAppAccounts/read |
Azure Network Function | azure-network-function-traffic-collectors | Microsoft.NetworkFunction/azureTrafficCollectors/read |
Azure Network Watcher | azure-network-watcher-list | Microsoft.Network/networkWatchers/read Microsoft.Network/networkWatchers/securityGroupView/action Microsoft.Network/networkWatchers/queryFlowLogStatus/action |
Azure Notification Hubs | azure-notification-hub-namespace | Microsoft.NotificationHubs/Namespaces/read |
Azure Notification Hubs | azure-notification-hub | Microsoft.NotificationHubs/Namespaces/NotificationHubs/read |
Azure Orbital | azure-orbital-spacecrafts | Microsoft.Orbital/spacecrafts/read |
Azure Policy | azure-policy-assignments | Microsoft.Authorization/policyAssignments/read |
Azure Policy | azure-policy-definition | Microsoft.Authorization/policyDefinitions/read |
Azure Power BI Embedded | azure-powerbi-dedicated-capacities | Microsoft.PowerBIDedicated/servers/read Microsoft.PowerBIDedicated/capacities/read |
Azure Purview | azure-purview-account | Microsoft.Purview/accounts/read Microsoft.Purview/getDefaultAccount/read Microsoft.Purview/accounts/privateEndpointConnections/read |
Azure Purview | azure-purview-default-account | Microsoft.Purview/accounts/read Microsoft.Purview/getDefaultAccount/read Microsoft.Resources/subscriptions/read |
Azure Purview | azure-purview-privatelinkresource | Microsoft.Purview/accounts/privatelinkresources/read |
Azure Quantum | azure-quantum-workspace | Microsoft.Quantum/Workspaces/Read |
Azure Recovery Services | azure-recovery-service-vault | Microsoft.RecoveryServices/Vaults/read |
Azure Recovery Services | azure-recovery-service-backup-protected-item | Microsoft.RecoveryServices/Vaults/backupProtectedItems/read |
Azure Recovery Services | azure-recovery-service-vault-diagnostic-settings | Microsoft.RecoveryServices/Vaults/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Red Hat OpenShift | azure-redhat-openshift-cluster | Microsoft.RedHatOpenShift/openShiftClusters/read |
Azure Resource Manager | azure-resource-group | Microsoft.Resources/subscriptions/resourceGroups/read |
Azure Resource Manager | azure-role-definition | Microsoft.Authorization/roleDefinitions/read |
Azure Resource Manager | azure-role-assignment | Microsoft.Authorization/roleAssignments/read |
Azure Resource Manager | azure-classic-resource | Microsoft.Authorization/classicAdministrators/read |
Azure Resource Mover | azure-migrate-move-collections | Microsoft.Migrate/moveCollections/read |
Azure Security Center | azure-security-center-settings | Microsoft.Security/autoProvisioningSettings/read Microsoft.Security/pricings/read Microsoft.Security/securityContacts/read Microsoft.Security/settings/read |
Azure Service Bus | azure-service-bus-namespace | Microsoft.ServiceBus/namespaces/read Microsoft.ServiceBus/namespaces/authorizationRules/read Microsoft.ServiceBus/namespaces/providers/Microsoft.Insights/diagnosticSettings/read Microsoft.ServiceBus/namespaces/networkrulesets/read |
Azure Service Bus | azure-service-bus-namespace-private-endpoint-connection | Microsoft.ServiceBus/namespaces/privateEndpointConnections/read |
Azure Service Bus | azure-service-bus-queue | Microsoft.ServiceBus/namespaces/queues/read |
Azure Service Bus | azure-service-bus-topic | Microsoft.ServiceBus/namespaces/topics/read |
Azure Service Bus | azure-service-bus-topic-subscription | Microsoft.ServiceBus/namespaces/topics/subscriptions/read |
Azure Service Fabric | azure-service-fabric-cluster | Microsoft.ServiceFabric/clusters/read |
Azure SignalR Service | azure-signalr | Microsoft.SignalRService/SignalR/read |
Azure Spring Cloud | azure-spring-cloud-service | Microsoft.AppPlatform/Spring/read |
Azure Spring Cloud | azure-spring-cloud-app | Microsoft.AppPlatform/Spring/apps/read |
Azure SQL Database | azure-sql-db-list | Microsoft.Sql/servers/databases/read Microsoft.Sql/servers/databases/securityAlertPolicies/read Microsoft.Sql/servers/databases/transparentDataEncryption/read Microsoft.Sql/servers/databases/auditingSettings/read Microsoft.insights/diagnosticSettings/read |
Azure SQL Database | azure-sql-server-list | Microsoft.Sql/servers/read Microsoft.Sql/servers/securityAlertPolicies/read Microsoft.Sql/servers/auditingSettings/read Microsoft.Sql/servers/administrators/read Microsoft.Sql/servers/encryptionProtector/read Microsoft.Sql/servers/firewallRules/read |
Azure SQL Database | azure-sql-managed-instance | Microsoft.Sql/managedInstances/read |
Azure SQL Database | azure-sql-managed-instance-diagnostic-settings | Microsoft.Sql/managedInstances/read Microsoft.Insights/DiagnosticSettings/Read |
Azure SQL Database | azure-sql-db-diagnostic-settings | Microsoft.Sql/servers/read Microsoft.Sql/servers/databases/read Microsoft.Insights/DiagnosticSettings/Read |
Azure Stack HCI | azure-azurestackhci-clusters | Microsoft.AzureStackHCI/Clusters/Read |
Azure Storage | azure-storage-account-list | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Storage/storageAccounts/tableServices/read Microsoft.Storage/storageAccounts/queueServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read Microsoft.insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-diagnostic-settings | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Storage/storageAccounts/tableServices/read Microsoft.Storage/storageAccounts/queueServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read Microsoft.insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-table-diagnostic-settings | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/tableServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-queue-diagnostic-settings | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/queueServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-file-diagnostic-settings | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/fileServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-blob-diagnostic-settings | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/blobServices/read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
Azure Storage | azure-storage-account-keys | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/listKeys/action |
Azure Storage | azure-storage-file-shares | Microsoft.Storage/storageAccounts/fileServices/shares/read |
Azure Storage Mover | azure-storage-movers | Microsoft.StorageMover/storageMovers/read |
Azure Storage Sync Services | azure-storage-sync-service | Microsoft.StorageSync/storageSyncServices/read |
Azure Storage Sync Services | azure-storage-sync-service-privatelinkresource | Microsoft.StorageSync/storageSyncServices/read Microsoft.StorageSync/storageSyncServices/privateLinkResources/read |
Azure StorSimple | azure-storsimple-managers | Microsoft.StorSimple/managers/read |
Azure Stream Analytics | azure-streamanalytics-clusters | Microsoft.StreamAnalytics/clusters/Read |
Azure Stream Analytics | azure-streamanalytics-streamingjobs | Microsoft.StreamAnalytics/streamingjobs/Read |
Azure Stream Analytics | azure-streamanalytics-streamingjobs-diagnostic-settings | Microsoft.StreamAnalytics/streamingjobs/Read Microsoft.Insights/DiagnosticSettings/Read |
Azure Subscriptions | azure-subscription-resource-providers-registration-status | Microsoft.Resources/subscriptions/providers/read |
Azure Subscriptions | azure-subscription-tenantpolicy | Microsoft.Subscription/Policies/default/read |
Azure Subscriptions | azure-subscription-list | Microsoft.Resources/subscriptions/read |
Azure Synapse Analytics | azure-synapse-privatelinkhub-privatelinkresource | Microsoft.Synapse/privateLinkHubs/privateLinkResources/read |
Azure Synapse Analytics | azure-synapse-privatelinkresource | Microsoft.Synapse/workspaces/read
Microsoft.Synapse/workspaces/privateLinkResources/read |
Azure Synapse Analytics | azure-synapse-privatelinkhub | Microsoft.Synapse/privateLinkHubs/read |
Azure Synapse Analytics | azure-synapse-spark-configuration | Microsoft.Synapse/workspaces/read
Microsoft.Synapse/workspaces/sparkConfigurations/read |
Azure Synapse Analytics | azure-synapse-workspace | Microsoft.Synapse/workspaces/read |
Azure Test Base | azure-test-base-accounts | Microsoft.TestBase/testBaseAccounts/read |
Azure Time Series Insights | azure-timeseriesinsights-environments | Microsoft.TimeSeriesInsights/environments/read |
Azure Traffic Manager | azure-traffic-manager-profile | Microsoft.Network/trafficManagerProfiles/read |
Azure Video Indexer | azure-video-indexer-accounts | Microsoft.VideoIndexer/accounts/read |
Azure Virtual Desktop | azure-virtual-desktop-workspace | Microsoft.DesktopVirtualization/workspaces/read Microsoft.DesktopVirtualization/workspaces/providers/Microsoft.Insights/diagnosticSettings/read |
Azure Virtual Desktop | azure-virtual-desktop-session-host | Microsoft.DesktopVirtualization/hostpools/read Microsoft.DesktopVirtualization/hostpools/sessionhosts/read Microsoft.DesktopVirtualization/hostpools/sessionhostconfigurations/read |
Azure Virtual Network | azure-network-vnet-list | Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read Microsoft.insights/diagnosticSettings/read |
Azure Virtual Network | azure-network-nic-list | Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action |
Azure Virtual Network | azure-network-nsg-list | Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkSecurityGroups/securityRules/read Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read microsoft.insights/diagnosticSettings/read |
Azure Virtual Network | azure-network-subnet-list | Microsoft.Network/virtualNetworks/subnets/read, |
Azure Virtual Network | azure-network-peering | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read |
Azure Virtual Network | azure-network-route-table | Microsoft.Network/routeTables/read Microsoft.Network/routeTables/routes/read |
Azure Virtual Network | azure-network-application-security-group | Microsoft.Network/applicationSecurityGroups/read, |
Azure Virtual Network | azure-network-firewall | Microsoft.Network/azurefirewalls/read Microsoft.insights/diagnosticSettings/read |
Azure Virtual Network | azure-network-usage | Microsoft.Network/locations/usages/read |
Azure Virtual Network | azure-network-public-ip-address | Microsoft.Network/publicIPAddresses/read Microsoft.insights/diagnosticSettings/read |
Azure Virtual Network | azure-ddos-protection-plan | Microsoft.Network/ddosProtectionPlans/read |
Azure Virtual Network | azure-network-firewall-policy | Microsoft.Network/firewallPolicies/read |
Azure Virtual Network | azure-bastion-host | Microsoft.Network/bastionHosts/read |
Azure Virtual Network | azure-private-link-service | Microsoft.Network/privateLinkServices/read |
Azure Virtual Network | azure-network-natgateway | Microsoft.Network/natGateways/read |
Azure Virtual Network | azure-vmss-instance-public-ips | Microsoft.Compute/virtualMachineScaleSets/read Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read |
Azure Virtual Network | azure-vmss-network-interface | Microsoft.Compute/virtualMachineScaleSets/read Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read |
Azure Virtual Network | azure-network-effective-nsg | Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action |
Azure Virtual Network | azure-network-effective-route-table | Microsoft.Network/networkInterfaces/effectiveRouteTable/action |
Azure Virtual Network | azure-network-public-ip-prefixes | Microsoft.Network/publicIPPrefixes/read |
Azure Virtual Network | azure-network-service-endpoint-policy | Microsoft.Network/serviceEndpointPolicies/read Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions/read |
Azure Virtual Network | azure-network-private-endpoint | Microsoft.Network/privateEndpoints/read |
Azure Virtual Network Gateway | azure-virtual-network-gateway | Microsoft.Network/virtualNetworkGateways/read |
Azure Virtual WAN | azure-virtual-wan-list | Microsoft.Network/virtualWans/read |
Azure Virtual WAN | azure-vpn-server-configurations | Microsoft.Network/vpnServerConfigurations/read |
Azure Virtual WAN | azure-p2s-vpn-gateway | Microsoft.Network/p2sVpnGateways/read |
Azure Visual Studio | azure-visual-studio-accounts | Microsoft.VisualStudio/account/read |
Azure VPN Gateway | azure-network-vpn-connection-list | Microsoft.Network/virtualNetworkGateways/read Microsoft.network/virtualnetworkgateways/connections/read Microsoft.Network/virtualwans/vpnconfiguration/action |
Azure Web Application Firewall | azure-frontdoor-waf-policy | Microsoft.Network/frontDoorWebApplicationFirewallPolicies/read |
Azure Web Application Firewall | azure-application-gateway-waf-policy | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read |
Azure Web PubSub Service | azure-signalrservice-web-pub-sub | Microsoft.SignalRService/WebPubSub/read |
Azure Workloads | azure-workloads-monitors | Microsoft.Workloads/monitors/read |
Azure Feature Permissions
Feature | Permissions |
|---|---|
Workload Discovery | Microsoft.ContainerRegistry/registries/read |
Microsoft.ContainerRegistry/registries/metadata/read | |
Microsoft.ContainerRegistry/registries/pull/read | |
Microsoft.ContainerService/managedClusters/read | |
Microsoft.Web/sites/Read | |
Microsoft.ContainerInstance/containerGroups/read | |
Microsoft.ContainerInstance/containerGroups/containers/exec/action | |
Microsoft.Compute/virtualMachines/read | |
Microsoft.Compute/hostGroups/read | |
Threat Detection | Audit Logs |
Microsoft.Insights/ActivityLogAlerts/read | |
Flow Logs | |
Microsoft.Storage/storageAccounts/read | |
Microsoft.Storage/storageAccounts/listKeys/action | |
Microsoft.Network/networkInterfaces/read | |
Microsoft.Network/networkSecurityGroups/read | |
Microsoft.Network/networkWatchers/read | |
Microsoft.Network/networkWatchers/securityGroupView/action | |
Microsoft.Network/networkWatchers/queryFlowLogStatus/* | |
Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action | |
Microsoft.Network/virtualwans/vpnconfiguration/action | |
Agentless Workload Scanning | Microsoft.Resources/subscriptions/resourceGroups/read |
Microsoft.Resources/subscriptions/resourceGroups/write | |
Microsoft.Network/networkInterfaces/read | |
Microsoft.Network/networkInterfaces/write | |
Microsoft.Network/networkInterfaces/delete | |
Microsoft.Network/networkInterfaces/join/action | |
Microsoft.Network/networkSecurityGroups/read | |
Microsoft.Network/networkSecurityGroups/write | |
Microsoft.Network/networkSecurityGroups/delete | |
Microsoft.Network/networkSecurityGroups/join/action | |
Microsoft.Network/virtualNetworks/read | |
Microsoft.Network/virtualNetworks/write | |
Microsoft.Network/virtualNetworks/delete | |
Microsoft.Network/virtualNetworks/subnets/read | |
Microsoft.Network/virtualNetworks/subnets/join/action | |
Microsoft.Compute/disks/read | |
Microsoft.Compute/disks/write | |
Microsoft.Compute/disks/delete | |
Microsoft.Compute/disks/beginGetAccess/action | |
Microsoft.Compute/snapshots/read | |
Microsoft.Compute/snapshots/write | |
Microsoft.Compute/snapshots/delete | |
Microsoft.Compute/virtualMachines/read | |
Microsoft.Compute/virtualMachines/write | |
Microsoft.Compute/virtualMachines/delete | |
Microsoft.Compute/virtualMachines/instanceView/read | |
Microsoft.Compute/virtualMachineScaleSets/read | |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | |
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read | |
Serverless Function Scanning | Microsoft.Web/sites/read |
Microsoft.Web/sites/config/list/action | |
Microsoft.web/sites/functions/action | |
Microsoft.web/sites/functions/read | |
Microsoft.Web/sites/publishxml/action | |
Agent Based Workload Scanning | Microsoft.Compute/virtualMachines/runCommand/action |
Microsoft.Compute/locations/operations/read | |
Microsoft.Resources/subscriptions/locations/read | |
Microsoft.Compute/locations/publishers/artifacttypes/offers/skus/versions/read | |
Microsoft.Compute/images/read | |
Microsoft.Compute/galleries/read | |
Microsoft.Compute/galleries/images/read | |
Microsoft.Compute/galleries/images/versions/read | |
Microsoft.Resources/subscriptions/resourceGroups/read | |
Microsoft.Resources/subscriptions/resourceGroups/write | |
Microsoft.Resources/subscriptions/resourceGroups/delete | |
Microsoft.Network/networkSecurityGroups/read | |
Microsoft.Network/networkSecurityGroups/write | |
Microsoft.Network/networkSecurityGroups/join/action | |
Microsoft.Network/networkSecurityGroups/delete | |
Microsoft.Network/networkInterfaces/read | |
Microsoft.Network/networkInterfaces/write | |
Microsoft.Network/networkInterfaces/join/action | |
Microsoft.Network/networkInterfaces/delete | |
Microsoft.Compute/disks/write | |
Microsoft.Compute/disks/delete | |
Microsoft.Network/virtualNetworks/subnets/read | |
Microsoft.Network/virtualNetworks/subnets/join/action | |
Microsoft.Compute/virtualMachines/read | |
Microsoft.Compute/virtualMachines/write | |
Microsoft.Compute/virtualMachines/start/action | |
Microsoft.Compute/virtualMachines/delete | |
Built in Role: Key Vault Crypto Service Encryption User | |
Remediation | Microsoft.Web/sites/Write |
Microsoft.KeyVault/vaults/read | |
Microsoft.Insights/LogProfiles/read | |
Microsoft.Insights/LogProfiles/Write | |
Microsoft.Insights/LogProfiles/Delete | |
Microsoft.DBforPostgreSQL/servers/configurations/read | |
Microsoft.DBforPostgreSQL/servers/configurations/write | |
Microsoft.DBforMySQL/flexibleServers/configurations/write | |
Microsoft.Sql/servers/databases/securityAlertPolicies/read | |
Microsoft.Sql/servers/databases/securityAlertPolicies/write | |
Microsoft.Web/sites/config/Write | |
Microsoft.Storage/storageAccounts/write | |
Microsoft.Authorization/policyAssignments/read | |
Microsoft.Authorization/policyAssignments/write | |
Microsoft.Authorization/policyAssignments/delete | |
Microsoft.Sql/servers/databases/transparentDataEncryption/read | |
Microsoft.Sql/servers/databases/transparentDataEncryption/write | |
Microsoft.Network/networkSecurityGroups/securityRules/read | |
Microsoft.Network/networkSecurityGroups/securityRules/write | |
Microsoft.Network/networkSecurityGroups/securityRules/delete | |
Microsoft.Security/autoProvisioningSettings/read | |
Microsoft.Security/autoProvisioningSettings/write | |
Microsoft.Storage/storageAccounts/* |