The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to Microsoft Azure environments.
Note:
Microsoft has announced that as of October 31, 2024, Azure support for Transport Layer Security (TLS) 1.0 and TLS 1.1 will end. As of that date, interactions with Azure services will require the use of TLS 1.2. Cloud Discovery & Visibility fully supports TLS 1.2 and is unaffected by this change.
Before you begin, make sure that the following requirements are met:
- You must have an Azure account to retrieve the Azure data with the following
permissions set:
- Common permissions for virtual networks, load balancers, DNS zones, and
private DNS Zones:
"Microsoft.Authorization/*/read""Microsoft.Resources/subscriptions/resourceGroups/read""Microsoft.Resources/deployments/*""Microsoft.Compute/*/read""Microsoft.ClassicCompute/*/read""Microsoft.Network/*/read""Microsoft.ClassicNetwork/*/read""Microsoft.Storage/*/read"
- Common permissions for virtual networks, load balancers, DNS zones, and
private DNS Zones:
- Role permissions:
- Allows for full access to Azure Service Bus resources (BuiltinRole)
"Microsoft.ServiceBus/*"Attention: You must not set the subscription policy to deny"Microsoft.ServiceBus/namespaces". If the subscription policy to deny"Microsoft.ServiceBus/namespaces"is enabled, the following message might appear in the Cloud Discovery & Visibility Azure UI when using the visibility feature:[ERROR] Something wrong when get Service Bus HT-PoC
- Manage EventGrid event subscription operations (BuiltinRole)
"Microsoft.Authorization/*/read""Microsoft.EventGrid/systemTopics/read""Microsoft.EventGrid/eventSubscriptions/*""Microsoft.EventGrid/topicTypes/eventSubscriptions/read""Microsoft.EventGrid/locations/eventSubscriptions/read""Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read""Microsoft.Insights/AlertRules/*""Microsoft.Resources/deployments/*""Microsoft.Resources/subscriptions/resourceGroups/read""Microsoft.Support/*"
- Monitoring Reader (BuiltinRole)
"Microsoft.OperationalInsights/workspaces/search/action""Microsoft.Support/*"
- Discovery permissions:
"Microsoft.Authorization/*/read""Microsoft.Resources/subscriptions/resourceGroups/read""Microsoft.Compute/*/read""Microsoft.ClassicCompute/*/read""Microsoft.Network/*/read""Microsoft.ClassicNetwork/*/read""Microsoft.Storage/*/read"-
The following permissions are required for discovering public alias records:
"Microsoft.Web/staticSites/read""Microsoft.Resources/subscriptions/read""Microsoft.Cdn/*/read"
- The following permission is required to discover internal
Kubernetes Resources:
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action""Microsoft.ContainerService/managedClusters/read"
You can use the following JSON code to add Discovery permissions:{ "id": "/", "properties": { "roleName": "Discovery", "description": "", "assignableScopes": [ "/subscriptions/<subscription id>" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Compute/*/read", "Microsoft.ClassicCompute/*/read", "Microsoft.Network/*/read", "Microsoft.ClassicNetwork/*/read", "Microsoft.Storage/*/read", "Microsoft.Web/staticSites/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Cdn/*/read", "Microsoft.ContainerService/managedClusters/read", "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } } - Visibility permissions:
"Microsoft.ServiceBus/*""Microsoft.EventGrid/systemTopics/read""Microsoft.EventGrid/eventSubscriptions/*""Microsoft.EventGrid/topicTypes/eventSubscriptions/read""Microsoft.EventGrid/locations/eventSubscriptions/read""Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read""Microsoft.Insights/alertRules/*"
You can use the following JSON code to add Visibility permissions:{ "id": "/", "properties": { "roleName": "Visibility", "description": "", "assignableScopes": [ "/subscriptions/<subscription id>" ], "permissions": [ { "actions": [ "Microsoft.ServiceBus/*", "Microsoft.EventGrid/systemTopics/read", "Microsoft.EventGrid/eventSubscriptions/*", "Microsoft.EventGrid/topicTypes/eventSubscriptions/read", "Microsoft.EventGrid/locations/eventSubscriptions/read", "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read", "Microsoft.Insights/alertRules/*" ], "notActions": [], "dataActions": [ "Microsoft.ServiceBus/*" ], "notDataActions": [] } ] } } - Manually-created visibility system permissions:
"Microsoft.EventGrid/systemTopics/read""Microsoft.EventGrid/eventSubscriptions/write""Microsoft.EventGrid/eventSubscriptions/read""Microsoft.EventGrid/topictypes/eventSubscriptions/read""Microsoft.EventGrid/locations/eventSubscriptions/read""Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read""Microsoft.ServiceBus/namespaces/read""Microsoft.ServiceBus/namespaces/authorizationRules/read""Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action""Microsoft.ServiceBus/namespaces/queues/read""Microsoft.ServiceBus/namespaces/queues/authorizationRules/read"
- Custom visibility system location permissions:
"Microsoft.Resources/subscriptions/resourceGroups/write""Microsoft.Resources/subscriptions/resourceGroups/read"
- Public DNS alias records:
"Microsoft.Web/staticSites/read""Microsoft.Resources/subscriptions/read"
- Allows for full access to Azure Service Bus resources (BuiltinRole)