Review the permissions required to deploy resources and connect Azure Management Groups
to TrendAI Vision One™.
The following permissions are required to successfully deploy TrendAI Vision One™ cloud security resources to your Management Group and all subscriptions within it.
To learn more about Azure permissions, see the Azure permissions documentation.
Required roles
Azure management group required roles
|
Role
|
What the role enables
|
Notes
|
|
User Access Administrator
|
|
Required on all subscriptions in the management group
|
|
Contributor
|
|
Required on all subscriptions in the management group
|
|
Owner
|
Includes both User Access Administrator and Contributor permissions
|
Can be used instead of assigning User Access Administrator and Contributor separately
|
|
Management Group Reader
|
|
Required at the management group level
|
|
Application Administrator
|
|
Required for Microsoft Entra ID users. Assign through Azure Portal:
|
Validating permissions
You can validate that the required permissions are correctly configured by running
the following commands in Azure CLI:
Test management group access:
az account management-group show --name <mg-id>
Test subscription listing:
az account management-group entities list --query "[?type=='/subscriptions']"
Test primary subscription access:
az account show --subscription <primary-sub-id>
Common issues
Troubleshooting permission errors
|
Error
|
Solution
|
|
Cannot list management group subscriptions
|
Assign a Management Group Reader role.
|
|
Cannot create state storage resources
|
Assign an Owner or Contributor role on primary subscription.
|
|
Cannot create App Registration
|
Assign an Application Administrator role in Azure AD.
|
|
Cannot create role definitions
|
Assign an Owner role (or User Access Administrator + Contributor) on all subscriptions.
|