Azure Roles and Permissions
This topic describes the Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. applications and roles that CloudGuard uses to manage your accounts.
The applications and the roles granted give CloudGuard permission to manage specific entities (such as Security Groups, Instances, etc.) in your Azure account.
Roles
The roles depend on if the account is managed as Read-Only or Manage.
You must create a new Web App/API application (and name it CloudGuard-Connect, for example)
-
Read-Only
You must add this Access Control role to the Web App/API application, in your subscription: Reader.
-
Manage
You must add these Access Control roles to the Web App/API application, in your subscription:
-
Reader
-
Network Contributor
-
Permissions
|
Important - To ensure the maximal security of your assets, CloudGuard adheres to the principle of least privileges and requires only minimal set of access permissions. If you want to allow CloudGuard more access, grant access to additional resources and services. For troubleshooting information, see Troubleshooting Azure Onboarding. |
An administrator consent is necessary to add the API application permissions below:
-
Directory.Read.All
, which includes and can be replaced by these permissions:-
User.Read.All
-
Group.Read.All
-
Application.Read.All
-
-
Reports.Read.All
, which is required for Security Center-related entities, such asDefenderServerVulnAssmt
-
Policy.Read.All
used for fetching AD access policies, such as:-
ADAuthorizationPolicy
-
ADCondAccessPolicy
-
ADSecurityDefaults
-
-
AccessReview.Read.All
used for fetching AD-level review policies, such as:-
ADAccessReviewsScheduleDefinition
-
ADCondAccessNamedLocation
For more information about used permissions, see Microsoft Graph permissions reference.
-
More Links