Azure Roles and Permissions

This topic describes the AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. applications and roles that CloudGuard uses to manage your accounts.

The applications and the roles granted give CloudGuard permission to manage specific entities (such as Security Groups, Instances, etc.) in your Azure account.

Roles

The roles depend on if the account is managed as Read-Only or Manage.

You must create a new Web App/API application (and name it CloudGuard-Connect, for example)

  • Read-Only

    You must add this Access Control role to the Web App/API application, in your subscription: Reader.

  • Manage

    You must add these Access Control roles to the Web App/API application, in your subscription:

    • Reader

    • Network Contributor

Permissions

Important - To ensure the maximal security of your assets, CloudGuard adheres to the principle of least privileges and requires only minimal set of access permissions. If you want to allow CloudGuard more access, grant access to additional resources and services. For troubleshooting information, see Troubleshooting Azure Onboarding.

An administrator consent is necessary to add the API application permissions below:

  • Directory.Read.All, which includes and can be replaced by these permissions:

    • User.Read.All

    • Group.Read.All

    • Application.Read.All

  • Reports.Read.All, which is required for Security Center-related entities, such as DefenderServerVulnAssmt

  • Policy.Read.All used for fetching AD access policies, such as:

    • ADAuthorizationPolicy

    • ADCondAccessPolicy

    • ADSecurityDefaults

  • AccessReview.Read.All used for fetching AD-level review policies, such as:

    • ADAccessReviewsScheduleDefinition

    • ADCondAccessNamedLocation

    For more information about used permissions, see Microsoft Graph permissions reference.

More Links