Microsoft Azure environments - Adaptive Applications - BlueCat Gateway

Microsoft Azure environments - Adaptive Applications - BlueCat Gateway - 23.1.1

Cloud Discovery & Visibility Administration Guide

Locale

English

Product name

BlueCat Gateway

Version

23.1.1

The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to Microsoft Azure environments.

Before you begin

Ensure that the following requirements are met:

You must have an Azure account to retrieve the Azure data with the following permissions set:
- Common permissions for virtual networks, load balancers, DNS zones, and private DNS Zones:
  - "Microsoft.Authorization/*/read"
  - "Microsoft.Resources/subscriptions/resourceGroups/read"
  - "Microsoft.Resources/deployments/*"
  - "Microsoft.Compute/*/read"
  - "Microsoft.ClassicCompute/*/read"
  - "Microsoft.Network/*/read"
  - "Microsoft.ClassicNetwork/*/read"
  - "Microsoft.Storage/*/read"
Role permissions:
- Allows for full access to Azure Service Bus resources (BuiltinRole)
  - "Microsoft.ServiceBus/*"
    Attention: You must not set the subscription policy to deny "Microsoft.ServiceBus/namespaces". If the subscription policy to deny "Microsoft.ServiceBus/namespaces" is enabled, the following message might appear in the Cloud Discovery & Visibility Azure UI when using the visibility feature:
```
[ERROR] Something wrong when get Service Bus HT-PoC
```
- Manage EventGrid event subscription operations (BuiltinRole)
  - "Microsoft.Authorization/*/read"
  - "Microsoft.EventGrid/systemTopics/read"
  - "Microsoft.EventGrid/eventSubscriptions/*"
  - "Microsoft.EventGrid/topicTypes/eventSubscriptions/read"
  - "Microsoft.EventGrid/locations/eventSubscriptions/read"
  - "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read"
  - "Microsoft.Insights/AlertRules/*"
  - "Microsoft.Resources/deployments/*"
  - "Microsoft.Resources/subscriptions/resourceGroups/read"
  - "Microsoft.Support/*"
- Monitoring Reader (BuiltinRole)
  - "Microsoft.OperationalInsights/workspaces/search/action"
  - "Microsoft.Support/*"
- Discovery permissions:
  - "Microsoft.Authorization/*/read"
  - "Microsoft.Resources/subscriptions/resourceGroups/read"
  - "Microsoft.Compute/*/read"
  - "Microsoft.ClassicCompute/*/read"
  - "Microsoft.Network/*/read"
  - "Microsoft.ClassicNetwork/*/read"
  - "Microsoft.Storage/*/read"
  You can use the following JSON code to add Discovery permissions:
```
{
    "id": "/",
    "properties": {
        "roleName": "Discovery",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<subscription id>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Compute/*/read",
                    "Microsoft.ClassicCompute/*/read",
                    "Microsoft.Network/*/read",
                    "Microsoft.ClassicNetwork/*/read",
                    "Microsoft.Storage/*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
```
- Visibility permissions:
  - "Microsoft.ServiceBus/*"
  - "Microsoft.EventGrid/systemTopics/read"
  - "Microsoft.EventGrid/eventSubscriptions/*"
  - "Microsoft.EventGrid/topicTypes/eventSubscriptions/read"
  - "Microsoft.EventGrid/locations/eventSubscriptions/read"
  - "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read"
  - "Microsoft.Insights/alertRules/*"
  You can use the following JSON code to add Visibility permissions:
```
{
    "id": "/",
    "properties": {
        "roleName": "Visibility",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<subscription id>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.ServiceBus/*",
                    "Microsoft.EventGrid/systemTopics/read",
                    "Microsoft.EventGrid/eventSubscriptions/*",
                    "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
                    "Microsoft.EventGrid/locations/eventSubscriptions/read",
                    "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
                    "Microsoft.Insights/alertRules/*"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.ServiceBus/*"
                ],
                "notDataActions": []
            }
        ]
    }
} 
```
- Manually-created visibility system permissions:
  - "Microsoft.EventGrid/systemTopics/read"
  - "Microsoft.EventGrid/eventSubscriptions/write"
  - "Microsoft.EventGrid/eventSubscriptions/read"
  - "Microsoft.EventGrid/topictypes/eventSubscriptions/read"
  - "Microsoft.EventGrid/locations/eventSubscriptions/read"
  - "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read"
  - "Microsoft.ServiceBus/namespaces/read"
  - "Microsoft.ServiceBus/namespaces/authorizationRules/read"
  - "Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action"
  - "Microsoft.ServiceBus/namespaces/queues/read"
  - "Microsoft.ServiceBus/namespaces/queues/authorizationRules/read"