Azure Roles and Permissions

This topic describes the Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. applications and roles that CloudGuard uses to manage your accounts.

The applications and the roles granted give CloudGuard permission to manage specific entities (such as Security Groups, Instances, etc.) in your Azure account.

Roles

The roles depend on if the account is managed as Read-Only or Manage.

You must create a new Web App/API application (and name it CloudGuard-Connect, for example)

• Read-Only

  You must add this Access Control role to the Web App/API application, in your subscription: Reader.

• Manage

  You must add these Access Control roles to the Web App/API application, in your subscription:

  • Reader

  • Network Contributor

Permissions

An administrator consent is necessary to add the API application permissions below:

• Directory.Read.All, which includes and can be replaced by these permissions:

  • User.Read.All

  • Group.Read.All

  • Application.Read.All

• Reports.Read.All, which is required for Security Center-related entities, such as DefenderServerVulnAssmt

• Policy.Read.All used for fetching AD access policies, such as:

  • ADAuthorizationPolicy

  • ADCondAccessPolicy

  • ADSecurityDefaults

• AccessReview.Read.All used for fetching AD-level review policies, such as:

  • ADAccessReviewsScheduleDefinition

  • ADCondAccessNamedLocation

  For more information about used permissions, see Microsoft Graph permissions reference.

More Links

• Onboarding Azure Organizations

• Onboarding an Azure Subscription

• Microsoft Graph permissions reference