The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to Microsoft Azure environments.
Before you begin
Ensure that the following requirements are met:
- You must have an Azure account to retrieve the Azure data with the following
permissions set:
- Common permissions for virtual networks, load balancers, DNS zones, and
private DNS Zones:
"Microsoft.Authorization/*/read"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/deployments/*"
"Microsoft.Compute/*/read"
"Microsoft.ClassicCompute/*/read"
"Microsoft.Network/*/read"
"Microsoft.ClassicNetwork/*/read"
"Microsoft.Storage/*/read"
- Common permissions for virtual networks, load balancers, DNS zones, and
private DNS Zones:
- Role permissions:
- Allows for full access to Azure Service Bus resources (BuiltinRole)
"Microsoft.ServiceBus/*"
Attention: You must not set the subscription policy to deny"Microsoft.ServiceBus/namespaces"
. If the subscription policy to deny"Microsoft.ServiceBus/namespaces"
is enabled, the following message might appear in the Cloud Discovery & Visibility Azure UI when using the visibility feature:[ERROR] Something wrong when get Service Bus HT-PoC
- Manage EventGrid event subscription operations (BuiltinRole)
"Microsoft.Authorization/*/read"
"Microsoft.EventGrid/systemTopics/read"
"Microsoft.EventGrid/eventSubscriptions/*"
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read"
"Microsoft.EventGrid/locations/eventSubscriptions/read"
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read"
"Microsoft.Insights/AlertRules/*"
"Microsoft.Resources/deployments/*"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Support/*"
- Monitoring Reader (BuiltinRole)
"Microsoft.OperationalInsights/workspaces/search/action"
"Microsoft.Support/*"
- Discovery permissions:
"Microsoft.Authorization/*/read"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Compute/*/read"
"Microsoft.ClassicCompute/*/read"
"Microsoft.Network/*/read"
"Microsoft.ClassicNetwork/*/read"
"Microsoft.Storage/*/read"
You can use the following JSON code to add Discovery permissions:{ "id": "/", "properties": { "roleName": "Discovery", "description": "", "assignableScopes": [ "/subscriptions/<subscription id>" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Compute/*/read", "Microsoft.ClassicCompute/*/read", "Microsoft.Network/*/read", "Microsoft.ClassicNetwork/*/read", "Microsoft.Storage/*/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }
- Visibility permissions:
"Microsoft.ServiceBus/*"
"Microsoft.EventGrid/systemTopics/read"
"Microsoft.EventGrid/eventSubscriptions/*"
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read"
"Microsoft.EventGrid/locations/eventSubscriptions/read"
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read"
"Microsoft.Insights/alertRules/*"
You can use the following JSON code to add Visibility permissions:{ "id": "/", "properties": { "roleName": "Visibility", "description": "", "assignableScopes": [ "/subscriptions/<subscription id>" ], "permissions": [ { "actions": [ "Microsoft.ServiceBus/*", "Microsoft.EventGrid/systemTopics/read", "Microsoft.EventGrid/eventSubscriptions/*", "Microsoft.EventGrid/topicTypes/eventSubscriptions/read", "Microsoft.EventGrid/locations/eventSubscriptions/read", "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read", "Microsoft.Insights/alertRules/*" ], "notActions": [], "dataActions": [ "Microsoft.ServiceBus/*" ], "notDataActions": [] } ] } }
- Manually-created visibility system permissions:
"Microsoft.EventGrid/systemTopics/read"
"Microsoft.EventGrid/eventSubscriptions/write"
"Microsoft.EventGrid/eventSubscriptions/read"
"Microsoft.EventGrid/topictypes/eventSubscriptions/read"
"Microsoft.EventGrid/locations/eventSubscriptions/read"
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read"
"Microsoft.ServiceBus/namespaces/read"
"Microsoft.ServiceBus/namespaces/authorizationRules/read"
"Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action"
"Microsoft.ServiceBus/namespaces/queues/read"
"Microsoft.ServiceBus/namespaces/queues/authorizationRules/read"
- Custom visibility system location permissions:
"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
- Allows for full access to Azure Service Bus resources (BuiltinRole)