Azure Application Role Assignment

Below are step-by-step instructions for assigning the Reader role to a Secberus-connected Azure AD App at the Subscription or Resource Group level in the Azure Portal.

At the end, you’ll also find a guide for granting User(s) access to provision Secberus-connected Apps with roles at both the Subscription and Resource Group levels.

When onboarding an Azure Data Provider onto the platform, you must grant permissions to read either a subscription or a resource group—only one is necessary. Assigning our App a role at the Subscription level gives it permissions to all of its nested Resource Groups, too, whereas granting permissions at the Resource Group level gives you fine-grained control over which parts of your cloud you want for us to access.

🚧

App Service Permissions

Note that you will need to add a Role Assignment at the subscription level for all of the following services:

• Reader
• Microsoft.Web/sites/config/list/action
• Microsoft.Storage/storageAccounts/listkeys/action
• Key Vault Reader

Granting Access to a Subscription

1. Navigate to the Subscription service in your Azure Portal.

2. Select the Subscription you would like to grant access to from the list.

3. From the Subscription Overview page, select the Access control (IAM) tab on the left side of the screen.

4. Click the ＋Add button toward the top-left of the page and select Add role assignment in the resultant dropdown menu.

5. Leave the Assignment type set to Job function roles and select Next.

6. Search for and select the Reader role and click Next.

7. Click + Select members and then search for and select the entry for the app created for a Secberus data source:

8. Confirm the app is listed under Selected members and click Select.

9. Confirm the Selected role and Members are correct and select Review + assign.

10. Confirm the Scope is correct and click Review + assign.

11. Navigate to the Role assignments tab on the Access control (IAM) page and verify that the role assignment you’ve created is correct.

12. Repeat these steps for the following permissions:

• Microsoft.Web/sites/config/list/action
• Microsoft.Storage/storageAccounts/listkeys/action
• Key Vault Reader

👍

You have assigned an application role to your Secberus Application.

Now complete the Secberus onboarding by clicking "connect" on your Secberus Account.

Granting Access to a Resource Group

1. Navigate to Resource groups in the Azure Portal.

2. Select the Resource group you would like to grant access to from the list and follow the link in its Name.

3. From the Resource group Overview page, select Access control (IAM).

4. Click ＋Add button and select Add role assignment in the resultant dropdown menu:

5. Leave the Assignment type set to Job function roles and select Next.

6. Search for and select the Reader role and click Next.

7. Click + Select members and then search for and select the Secberus app to assign.

8. Confirm the app is under Selected members and click Select.

9. Confirm the Selected role and Members and click Review + assign.

10. Confirm the scope and select Review + assign.

12. Repeat these steps for the following permissions:

• Microsoft.Web/sites/config/list/action
• Microsoft.Storage/storageAccounts/listkeys/action
• Key Vault Reader

👍

You have assigned a resource group to your application.

Now complete the Secberus onboarding by clicking "connect" on your Secberus Account.