Azure Custom Roles

Custom Roles for Harvesting Azure Accounts and Resources with InsightCloudSec

InsightCloudSec offers a few custom roles for Azure accounts ("subscriptions") and organizations ("management groups") that will be harvested. Role usage depends on the level of access you want to provide InsightCloudSec (Read Only vs. Power User) or the type of account being added to InsightCloudSec (single account vs. organization). For most scenarios within InsightCloudSec, using the Azure-created roles is appropriate. The roles provided here include the following:

📘

Key Rotation Permissions

Due to a limitation with Azure, roles with a Management Group (Azure Organization) scope cannot have dataActions permissions. Because the Azure Single Cloud and Organization setup instructions both recommend using the role below, the roles below do not include the Microsoft Key Vault dataActions permission, "Microsoft.KeyVault/vaults/keyrotationpolicies/read", which 
provides read access to key rotation policies (an InsightCloudSec-supported resource). This simplifies copying the role during setup as well as role maintenance.

  • Custom Azure Reader User Role -- This role will grant InsightCloudSec read-only permissions exclusively to InsightCloudSec-supported resources within a given Azure subscription or management group so that it can harvest data and report on it
  • Azure Reader Plus Role -- This role will grant InsightCloudSec extensive read-only permissions, including increased access to Azure Web Apps
  • Azure Power User Role-- This role will grant InsightCloudSec all permissions to supported resources within a given Azure subscription or management group so it can act upon cloud resources in addition to monitoring and reporting on them
  • Azure Organization Reader User Role -- This role will grant InsightCloudSec access to Azure management group information; see Organizations (Azure) for details

Note: The "Microsoft.ContainerRegistry/registries/pull/read" permission is included in the power user, reader, and reader plus roles as it needs to be explicit if not using one of the Azure built-in Owner, Contributor, or AcrPull roles.

For any questions about the content provided here, feel free to reach out to us through the Customer Support Portal.

🚧

Role Versions

Many of the roles included in the sections below have two versions: one for just the permissions associated with the role and one for the full JSON with abbreviated permissions. The permissions version can be simply copied into an in-progress custom role (as part of the Azure Setup - Single Cloud and Azure Setup - Organization instructions). The full JSON version can be saved, modified, and uploaded as a JSON file during the custom role assignment process. Review Azure's documentation for more information.

Custom Azure Reader User Role

If you are interested in operating in read-only mode, which prevents InsightCloudSec from taking actions against your Microsoft Azure resources, then we recommend using the Custom Azure Reader User role. This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting.

"permissions": [
    {
        "actions": [
            "Microsoft.Advisor/recommendations/read",
            "Microsoft.ApiManagement/service/read",
            "Microsoft.Authorization/classicAdministrators/read", 
            "Microsoft.Authorization/locks/read",
            "Microsoft.Authorization/policyAssignments/read",
            "Microsoft.Authorization/policyDefinitions/read",
            "Microsoft.Authorization/policySetDefinitions/read",
            "Microsoft.Authorization/roleAssignments/read",
            "Microsoft.Authorization/roleDefinitions/read",
            "Microsoft.Batch/batchAccounts/read",
            "Microsoft.Batch/batchAccounts/pools/read",
            "Microsoft.Cache/redis/read",
            "Microsoft.Cache/redis/firewallRules/read",
            "Microsoft.Cdn/profiles/*/read",
            "Microsoft.Compute/disks/read",
            "Microsoft.Compute/galleries/read",
            "Microsoft.Compute/galleries/images/read",
            "Microsoft.Compute/galleries/images/versions/read",
            "Microsoft.Compute/hostGroups/read",
            "Microsoft.Compute/images/read",
            "Microsoft.Compute/skus/read",
            "Microsoft.Compute/snapshots/read",
            "Microsoft.Compute/virtualMachineScaleSets/extensions/read",
            "Microsoft.Compute/virtualMachineScaleSets/instanceView/read",
            "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
            "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read",
            "Microsoft.Compute/virtualMachineScaleSets/read",
            "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read",
            "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
            "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read",
            "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read",
            "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
            "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
            "Microsoft.Compute/virtualMachines/extensions/read",
            "Microsoft.Compute/virtualMachines/instanceView/read",
            "Microsoft.Compute/virtualMachines/read",
            "Microsoft.ContainerInstance/containerGroups/read",
            "Microsoft.ContainerRegistry/registries/pull/read",
            "Microsoft.ContainerRegistry/registries/read",
            "Microsoft.ContainerService/managedClusters/read",
            "Microsoft.Databricks/workspaces/read",
            "Microsoft.DataFactory/factories/read",
            "Microsoft.DataLakeStore/accounts/read",
            "Microsoft.DBforMariaDB/locations/performanceTiers/read",
            "Microsoft.DBforMariaDB/performanceTiers/read",
            "Microsoft.DBforMariaDB/servers/configurations/read",
            "Microsoft.DBforMariaDB/servers/firewallRules/read",
            "Microsoft.DBforMariaDB/servers/read",
            "Microsoft.DBforMariaDB/servers/virtualNetworkRules/read",
            "Microsoft.DBforMySQL/flexibleServers/configurations/read",
            "Microsoft.DBforMySQL/flexibleServers/firewallRules/read",
            "Microsoft.DBforMySQL/flexibleServers/read",
            "Microsoft.DBforMySQL/locations/performanceTiers/read",
            "Microsoft.DBforMySQL/performanceTiers/read",
            "Microsoft.DBforMySQL/servers/administrators/read",         
            "Microsoft.DBforMySQL/servers/configurations/read",
            "Microsoft.DBforMySQL/servers/firewallRules/read",
            "Microsoft.DBforMySQL/servers/keys/read",
            "Microsoft.DBforMySQL/servers/read",
            "Microsoft.DBforMySQL/servers/virtualNetworkRules/read",
            "Microsoft.DBforPostgreSQL/flexibleServers/configurations/read",
            "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read",
            "Microsoft.DBforPostgreSQL/flexibleServers/read",
            "Microsoft.DBforPostgreSQL/locations/performanceTiers/read",
            "Microsoft.DBforPostgreSQL/performanceTiers/read",
            "Microsoft.DBforPostgreSQL/servers/administrators/read",       
            "Microsoft.DBforPostgreSQL/servers/configurations/read",
            "Microsoft.DBforPostgreSQL/servers/firewallRules/read",
            "Microsoft.DBforPostgreSQL/servers/keys/read",
            "Microsoft.DBforPostgreSQL/servers/read",
            "Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/read",
            "Microsoft.DocumentDB/databaseAccounts/read",
            "Microsoft.DocumentDB/databaseAccounts/usages/read",
            "Microsoft.EventHub/namespaces/eventhubs/read",
            "Microsoft.EventHub/namespaces/networkruleset/read",
            "Microsoft.EventHub/namespaces/networkrulesets/read",
            "Microsoft.EventHub/namespaces/read",
            "Microsoft.HDInsight/clusters/read",
            "Microsoft.Insights/DiagnosticSettings/Read",
            "Microsoft.Insights/LogProfiles/read",
            "Microsoft.KeyVault/vaults/read",
            "Microsoft.Logic/workflows/read",
            "Microsoft.Network/applicationGateways/read",
            "Microsoft.Network/azurefirewalls/read",
            "Microsoft.Network/dnszones/A/read",
            "Microsoft.Network/dnszones/AAAA/read",
            "Microsoft.Network/dnszones/CAA/read",
            "Microsoft.Network/dnszones/CNAME/read",
            "Microsoft.Network/dnszones/MX/read",
            "Microsoft.Network/dnszones/NS/read",
            "Microsoft.Network/dnszones/PTR/read",
            "Microsoft.Network/dnszones/SOA/read",
            "Microsoft.Network/dnszones/SRV/read",
            "Microsoft.Network/dnszones/TXT/read",
            "Microsoft.Network/dnszones/read",
            "Microsoft.Network/dnszones/recordsets/read",
            "Microsoft.Network/expressRouteCircuits/read",
            "Microsoft.Network/frontDoors/read",
            "Microsoft.Network/ipGroups/read",
            "Microsoft.Network/loadBalancers/backendAddressPools/read",
            "Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
            "Microsoft.Network/loadBalancers/networkInterfaces/read",
            "Microsoft.Network/loadBalancers/read",
            "Microsoft.Network/locations/usages/read",
            "Microsoft.Network/natGateways/read",
            "Microsoft.Network/networkInterfaces/read",
            "Microsoft.Network/networkSecurityGroups/read",
            "Microsoft.Network/networkWatchers/configureFlowLog/action", 
            "Microsoft.Network/networkWatchers/flowLogs/read",
            "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
            "Microsoft.Network/networkWatchers/read",
            "Microsoft.Network/privateDnsZones/A/read",
            "Microsoft.Network/privateDnsZones/AAAA/read",
            "Microsoft.Network/privateDnsZones/CNAME/read",
            "Microsoft.Network/privateDnsZones/MX/read",
            "Microsoft.Network/privateDnsZones/PTR/read",
            "Microsoft.Network/privateDnsZones/SOA/read",
            "Microsoft.Network/privateDnsZones/SRV/read",
            "Microsoft.Network/privateDnsZones/TXT/read",
            "Microsoft.Network/privateDnsZones/read",
            "Microsoft.Network/privateDnsZones/recordsets/read",
            "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
            "Microsoft.Network/privateEndpoints/read",
            "Microsoft.Network/privateLinkServices/read",
            "Microsoft.Network/publicIPAddresses/read",
            "Microsoft.Network/routeTables/read",
            "Microsoft.Network/serviceEndpointPolicies/read",
            "Microsoft.Network/trafficManagerProfiles/read",
            "Microsoft.Network/virtualNetworks/read",
            "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
            "Microsoft.Network/virtualnetworks/read",
            "Microsoft.Network/virtualNetworkGateways/read",
            "Microsoft.OperationalInsights/workspaces/read",
            "Microsoft.Resources/subscriptions/locations/read",
            "Microsoft.Resources/subscriptions/providers/read",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
            "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
            "Microsoft.Resources/templatespecs/versions/read",
            "Microsoft.Search/searchServices/read",
            "Microsoft.Security/advancedThreatProtectionSettings/read",
            "Microsoft.Security/alerts/read",
            "Microsoft.Security/assessments/read",
            "Microsoft.Security/assessments/*/read",
            "Microsoft.Security/autoProvisioningSettings/read",
            "Microsoft.Security/locations/jitNetworkAccessPolicies/read",
            "Microsoft.Security/pricings/read",
            "Microsoft.Security/securityContacts/read",
            "Microsoft.Security/tasks/read",
            "Microsoft.ServiceBus/namespaces/networkRuleSets/read",
            "Microsoft.ServiceBus/namespaces/queues/read",
            "Microsoft.ServiceBus/namespaces/read",
            "Microsoft.Sql/managedInstances/administrators/read",
            "Microsoft.Sql/managedInstances/encryptionProtector/read",
            "Microsoft.Sql/managedInstances/read",
            "Microsoft.Sql/managedInstances/securityAlertPolicies/read",
            "Microsoft.Sql/managedInstances/vulnerabilityAssessments/read",
            "Microsoft.Sql/servers/administrators/read",
            "Microsoft.Sql/servers/auditingSettings/read",
            "Microsoft.Sql/servers/databases/auditingSettings/read",
            "Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
            "Microsoft.Sql/servers/databases/read",
            "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
            "Microsoft.Sql/servers/databases/skus/read",
            "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
            "Microsoft.Sql/servers/extendedAuditingSettings/read",
            "Microsoft.Sql/servers/encryptionProtector/read",
            "Microsoft.Sql/servers/firewallRules/read",
            "Microsoft.Sql/servers/read",
            "Microsoft.Sql/servers/securityAlertPolicies/read",
            "Microsoft.Sql/servers/virtualNetworkRules/read",
            "Microsoft.Sql/servers/vulnerabilityAssessments/read",
            "Microsoft.Storage/storageAccounts/blobServices/containers/read", 
            "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read",
            "Microsoft.Storage/storageAccounts/fileServices/shares/read",
            "Microsoft.Storage/storageAccounts/read",
            "Microsoft.Synapse/workspaces/read",
            "Microsoft.Web/serverfarms/read",
            "Microsoft.Web/sites/read",
            "Microsoft.Web/sites/config/read",
            "Microsoft.Web/sites/config/list/Action",
            "Microsoft.Web/sites/functions/read",
            "Microsoft.Web/sites/privateEndpointConnections/read",
            "Microsoft.Web/sites/slots/read",
            "Microsoft.Web/sites/slots/config/read",
            "Microsoft.Web/sites/slots/config/list/Action",
            "Microsoft.Web/sites/slots/functions/read",
            "microsoft.web/sites/slots/virtualnetworkconnections/read",
            "microsoft.web/sites/virtualnetworkconnections/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
    }
]
{
    "properties": {
        "roleName": "InsightCloudSec Reader User Role (Subscription)",
        "description": "Provides read-only access to resources supported by InsightCloudSec for a given Subscription.",
        "assignableScopes": [
            "/subscriptions/<subscription-id>"
        ],
        "permissions": [
            {
                "actions": [
                    "..."
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Azure Reader Plus User Role

The Reader Plus role is similar to the Reader role but offers read-only permissions to all resources instead of only the resources that InsightCloudSec supports. In addition, the following permissions are explicitly granted:

  • "Microsoft.Web/sites/config/list/Action",
  • "Microsoft.Web/sites/slots/config/list/Action"


For the permissions above, the config/list/Action permission provides visibility to determine if Web Apps are configured to require authentication and for Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.

"permissions": [
    {
        "actions": [
            "*/read",
            "Microsoft.ContainerRegistry/registries/pull/read",
            "Microsoft.Web/sites/config/list/Action",
            "Microsoft.Web/sites/slots/config/list/Action"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
    }
]
{
    "properties": {
        "roleName": "InsightCloudSec Reader Plus User Role (Subscription)",
        "description": "Provides read-only access to all Azure resources plus some additional permissions not covered by the built-in Reader role for a given Subscription.",
        "assignableScopes": [
            "/subscriptions/<subscription-id>"
        ],
        "permissions": [
            {
                "actions": [
                    "..."
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Azure Power User Role

If you would like to use InsightCloudSec to manage your Microsoft Azure resources directly or through the use of Bots, then use the InsightCloudSec Azure Power User role. The InsightCloudSec Azure Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them.

Subscription

"permissions": [
    {
        "actions": [
            "Microsoft.Advisor/*",
            "Microsoft.ApiManagement/*",
            "Microsoft.Authorization/*",
            "Microsoft.Batch/*",
            "Microsoft.Cache/*",
            "Microsoft.Cdn/*",
            "Microsoft.Compute/*",
            "Microsoft.ContainerInstance/*",
            "Microsoft.ContainerRegistry/*",
            "Microsoft.ContainerService/*",
            "Microsoft.Databricks/*",
            "Microsoft.DataFactory/*",
            "Microsoft.DataLakeStore/*",
            "Microsoft.DBforMariaDB/*",
            "Microsoft.DBforMySQL/*",
            "Microsoft.DBforPostgreSQL/*",
            "Microsoft.DocumentDB/*",
            "Microsoft.EventHub/*",
            "Microsoft.HDInsight/*",
            "Microsoft.Insights/*",
            "Microsoft.KeyVault/*",
            "Microsoft.Logic/*",
            "Microsoft.Network/*",
            "Microsoft.OperationalInsights/*",
            "Microsoft.Resources/*",
            "Microsoft.Search/*",
            "Microsoft.Security/*",
            "Microsoft.ServiceBus/*",
            "Microsoft.Sql/*",
            "Microsoft.Storage/*",
            "Microsoft.Synapse/*",
            "Microsoft.Web/*"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
    }
]
{
    "properties": {
        "roleName": "InsightCloudSec Power User Role (Subscription)",
        "description": "Provides full access to resources supported by InsightCloudSec for a given Subscription.",
        "assignableScopes": [
            "/subscriptions/<subscription-id>"
        ],
        "permissions": [
            {
                "actions": [
                    "..."
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Azure Organization Reader Role

If you are adding an Azure Organization to InsightCloudSec, you'll need to create the Azure Organization Reader Role. This role will grant InsightCloudSec read-only permissions to aspects of management groups and subscriptions so that it can harvest data and report on them.

"permissions": [
    {
        "actions": [
            "Microsoft.Management/managementGroups/descendants/read",
            "Microsoft.Management/managementGroups/read",
            "Microsoft.Management/managementGroups/settings/read",
            "Microsoft.Resources/subscriptions/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
    }
]
{
    "properties": {
        "roleName": "InsightCloudSec Organization Reader User Role (Management Group)",
        "description": "Provides access to read the structure for a given Management Group.",
        "assignableScopes": [
            "/providers/Microsoft.Management/managementGroups/<my-management-group>"
        ],
        "permissions": [
            {
                "actions": [
                    "..."
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}