Required Permissions

When onboarding an Azure Data Provider onto the platform, you must grant permissions to read either a subscription or a resource group—only one is necessary. Assigning our App a role at the Subscription level gives it permissions to all of its nested Resource Groups, too, whereas granting permissions at the Resource Group level gives you fine-grained control over which parts of your cloud you want for us to access.

In order for Secberus to collect the data it needs from your Azure account, the app registration (data source) needs the following permissions:

  1. The built in roles:
    1. Reader built in role
    2. Key Vault Reader built in role
  2. A custom role with the following permissions:
    1. Microsoft.Web/sites/config/list/action
    2. Microsoft.Storage/storageAccounts/listkeys/action
    3. Microsoft.Storage/storageAccounts/queueServices/queues/getAcl/action