Take Me to the Docs!API ReferenceRelease NotesSupport Portal
Contact Us

Azure Custom Roles

Custom Roles for Harvesting Azure Accounts and Resources with InsightCloudSec

Suggest Edits

InsightCloudSec offers a few custom roles for Azure accounts ("subscriptions") and organizations ("management groups") that will be harvested. Role usage depends on the level of access you want to provide InsightCloudSec (Read Only vs. Power User) or the type of account being added to InsightCloudSec (single account vs. organization, Commercial vs. GovCloud). For most scenarios within InsightCloudSec, using the Azure-created roles is appropriate. Note: New required permissions are announced in our release notes. The roles provided here include the following:

📘

Explicit and Key Vault Permissions

  • The "Microsoft.ContainerRegistry/registries/pull/read" permission is included in the Commercial and GovCloud Reader and Reader Plus roles as it needs to be explicit if not using one of the Azure built-in Owner, Contributor, or AcrPull roles.
  • Due to a limitation with Azure, roles with a Management Group (Azure Organization) scope cannot have dataActions permissions. As such, the relevant roles below do not include a dataActions permission for Microsoft Key Vault, "Microsoft.KeyVault/vaults/keyrotationpolicies/read", which 
provides read access to key rotation policies (an InsightCloudSec-supported resource). This simplifies copying the role during setup as well as role maintenance.

Azure Commercial Harvesting

  • Azure Custom Reader User Role -- This role will grant InsightCloudSec read-only permissions exclusively to InsightCloudSec-supported resources within a given Azure subscription or management group so that it can harvest data and report on it
  • Azure Reader Plus User Role -- This role will grant InsightCloudSec extensive read-only permissions, including increased access to Azure Web Apps
  • Azure Power User User Role-- This role will grant InsightCloudSec all permissions to supported resources within a given Azure subscription or management group so it can act upon cloud resources in addition to monitoring and reporting on them

Additional Harvesting Policies

  • Azure Organization Reader User Role -- This role will grant InsightCloudSec access to Azure management group information

For any questions about the content provided here, feel free to reach out to us through the Customer Support Portal.

📘

Azure GovCloud Details

All Azure GovCloud details can be found within the Government Cloud Support Reference page.

Azure Commercial Harvesting

For Azure commercial (non-GovCloud) accounts, there are three role options (excluding Azure's built-in roles):

Azure Custom Reader User Role

If you are interested in operating in read-only mode, which prevents InsightCloudSec from taking actions against your Microsoft Azure resources, then we recommend using the Azure Custom Reader User role. This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Reader Plus User Role

The Reader Plus role is similar to the built-in Azure Reader role but offers read-only permissions to all resources instead of only the resources that InsightCloudSec supports. Because of the wildcard usage, the role is more easily maintained. In addition, the following permissions are explicitly granted:

  • "Microsoft.Web/sites/config/list/Action",
  • "Microsoft.Web/sites/slots/config/list/Action"


For the permissions above, the config/list/Action permission provides visibility to determine if Web Apps are configured to require authentication and for Serverless Functions to determine if the function is enabled/disabled. The caveat is that those permissions also provide access to any environment variables configured for WebApps, which may contain sensitive information.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure Power User Role

If you would like to use InsightCloudSec to manage your Microsoft Azure resources directly or through the use of Bots, then use the InsightCloudSec Azure Power User role. The InsightCloudSec Azure Power User role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them, but this means the role must be manually updated with each new Azure service that InsightCloudSec supports.

The role JSON can be obtained from our public S3 bucket. Note: The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Additional Harvesting Policies

Azure Organization Reader Role

If you are adding an Azure Organization to InsightCloudSec, you'll need to create the Azure Organization Reader Role. This role will grant InsightCloudSec read-only permissions to aspects of management groups and subscriptions so that it can harvest data and report on them. This role must be attached to the Tenant Root Group in order for InsightCloudSec to be able to read all of the management groups and subscriptions in the tenant.

🚧

Code Block Tabs

The role included in the code block below has two tabs: one for just the permissions associated with the role and one for the full JSON with abbreviated permissions. The permissions version can be simply copied into an in-progress custom role. The full JSON version can be saved, modified, and uploaded as a JSON file during the custom role assignment process. Review Azure's documentation for more information.

"permissions": [
    {
        "actions": [
            "Microsoft.Management/managementGroups/descendants/read",
            "Microsoft.Management/managementGroups/read",
            "Microsoft.Management/managementGroups/settings/read",
            "Microsoft.Resources/subscriptions/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
    }
]

{
    "properties": {
        "roleName": "InsightCloudSec Organization Reader User Role (Management Group)",
        "description": "Provides access to read the structure for a given Management Group.",
        "assignableScopes": [
            "/providers/Microsoft.Management/managementGroups/<my-management-group>"
        ],
        "permissions": [
            {
                "actions": [
                  	"..."
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Updated 4 months ago