1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set up the VM-Series Firewall on Azure
    5. About the VM-Series Firewall on Azure
    6. VM-Series on Azure Service Principal Permissions

    VM-Series on Azure Service Principal Permissions

    Review the granular permissions for the Service Principal for VM-Series integrations
    For Panorama to interact with the Azure APIs and collect information on your workloads, you need to create an Azure Active Directory application and a Service Principal that has the permissions required to authenticate with Azure AD and access the resources within your subscription.
    To create the Active Directory application and Service Principal, follow the instructions in How to: Use the portal to create an Azure AD application and service principal that can access resources. During the application generation process, there is a step to "Assign application to role" and assign an IAM role of "reader" to the application.
    If you don't have the necessary permissions to create and register the AD application, ask your Azure AD or subscription administrator to create a Service Principal.
    After the application has been registered, record these values so you can enter them in the Panorama plugin for Azure at a later time:
    • Application ID
    • Secret Key (record it when you make the secret key; the secret key is not visible once you navigate away from the page).
    • Tenant ID

    Permissions

    The following table lists the minimum built-in roles required and the granular permissions if you would like to customize the role.
    To support
    Permissions
    Azure High Availability
    “Microsoft.Authorization/*/read”,
    “Microsoft.Network/networkInterfaces/*”,
    “Microsoft.Network/networkSecurityGroups/*”,
    “Microsoft.Network/virtualNetworks/*”,
    “Microsoft.Compute/virtualMachines/read”
    Requires a minimum Role of
    Reader
     for Service Principal. Alternatively, you can add the following custom permissions:
    “Microsoft.Compute/virtualMachines/read”,
    “Microsoft.Network/networkInterfaces/read”,
    “Microsoft.Network/virtualNetworks/read”,
    “Microsoft.Network/locations/serviceTags/read”
    "Microsoft.Network/loadBalancers/read",
    "Microsoft.Network/publicIPAddresses/read"
    "Microsoft.Resources/subscriptions/resourcegroups/read",
    “Microsoft.Resources/subscriptions/resourcegroups/*”,
    “Microsoft.Resources/deployments/write”,
    “Microsoft.Resources/deployments/operationStatuses/read”,
    “Microsoft.Resources/deployments/read”,
    “Microsoft.Resources/deployments/delete”
    "Microsoft.Network/publicIPPrefixes/write",
    "Microsoft.Network/publicIPPrefixes/read",
    "Microsoft.Network/publicIPPrefixes/delete",
    "Microsoft.Network/publicIPAddresses/write",
    "Microsoft.Network/publicIPAddresses/read",
    "Microsoft.Network/publicIPAddresses/delete",
    "Microsoft.Network/publicIPAddresses/join/action",
    "Microsoft.Network/natGateways/write",
    "Microsoft.Network/natGateways/read",
    "Microsoft.Network/natGateways/delete",
    "Microsoft.Network/natGateways/join/action",
     
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.Network/virtualNetworks/write",
    "Microsoft.Network/virtualNetworks/delete",
    "Microsoft.Network/virtualNetworks/subnets/write",
    "Microsoft.Network/virtualNetworks/subnets/read",
    "Microsoft.Network/virtualNetworks/subnets/delete",
    "Microsoft.Network/virtualNetworks/subnets/join/action",
    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
    "Microsoft.Network/networkSecurityGroups/write",
    "Microsoft.Network/networkSecurityGroups/read",
    "Microsoft.Network/networkSecurityGroups/delete",
    "Microsoft.Network/networkSecurityGroups/join/action",
    "Microsoft.Network/loadBalancers/write",
    "Microsoft.Network/loadBalancers/read",
    "Microsoft.Network/loadBalancers/delete",
    "Microsoft.Network/loadBalancers/probes/join/action",
    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
    "Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
    "Microsoft.Network/locations/serviceTags/read",
    "Microsoft.Network/applicationGateways/read",
    "Microsoft.Network/networkInterfaces/read",
    "Microsoft.Compute/virtualMachineScaleSets/write",
    "Microsoft.Compute/virtualMachineScaleSets/read",
    "Microsoft.Compute/virtualMachineScaleSets/delete",
    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/images/read",
    "Microsoft.insights/components/write",
    "Microsoft.insights/components/read",
    "Microsoft.insights/components/delete",
     
    "Microsoft.insights/autoscalesettings/write"

    Recommended For You