The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to Microsoft Azure environments.
Before you begin
Ensure that the following requirements are met:
- You must have an Azure account to retrieve the Azure data with the following
permissions set:
- Common permissions for virtual networks, load balancers, DNS zones, and
private DNS Zones:
- Common permissions for virtual networks, load balancers, DNS zones, and
private DNS Zones:
- Role permissions:
- Allows for full access to Azure Service Bus resources (BuiltinRole)
Attention: You must not set the subscription policy to deny"Microsoft.ServiceBus/namespaces"
. If the subscription policy to deny"Microsoft.ServiceBus/namespaces"
is enabled, the following message might appear in the Cloud Discovery & Visibility Azure UI when using the visibility feature:[ERROR] Something wrong when get Service Bus HT-PoC
- Manage EventGrid event subscription operations (BuiltinRole)
- Monitoring Reader (BuiltinRole)
- Discovery permissions:
The following permissions are required for discovering public alias records:
- The following permission is required to discover internal
Kubernetes Resources:
You can use the following JSON code to add Discovery permissions:{ "id": "/", "properties": { "roleName": "Discovery", "description": "", "assignableScopes": [ "/subscriptions/<subscription id>" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Compute/*/read", "Microsoft.ClassicCompute/*/read", "Microsoft.Network/*/read", "Microsoft.ClassicNetwork/*/read", "Microsoft.Storage/*/read" "Microsoft.Web/staticSites/read" "Microsoft.Resources/subscriptions/read" "Microsoft.Cdn/*/read" "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }
- Visibility permissions:
You can use the following JSON code to add Visibility permissions:{ "id": "/", "properties": { "roleName": "Visibility", "description": "", "assignableScopes": [ "/subscriptions/<subscription id>" ], "permissions": [ { "actions": [ "Microsoft.ServiceBus/*", "Microsoft.EventGrid/systemTopics/read", "Microsoft.EventGrid/eventSubscriptions/*", "Microsoft.EventGrid/topicTypes/eventSubscriptions/read", "Microsoft.EventGrid/locations/eventSubscriptions/read", "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read", "Microsoft.Insights/alertRules/*" ], "notActions": [], "dataActions": [ "Microsoft.ServiceBus/*" ], "notDataActions": [] } ] } }
- Manually-created visibility system permissions:
- Custom visibility system location permissions:
- Public DNS alias records:
- Allows for full access to Azure Service Bus resources (BuiltinRole)