Views:
Review the permissions required to deploy resources and the permissions granted when connecting Azure subscriptions to TrendAI Vision One™.
The following permissions are required to be able to successfully deploy TrendAI Vision One™ cloud security resources to your Azure subscription.
Note
Note
The permissions listed here are required for single Azure subscriptions. If you are deploying an Azure Management Group, see Azure management group required permissions.
  • For Microsoft Entra ID users, your sign in must have the following roles:
    • Application Administrator
    • Privileged Role Administrator
  • For Microsoft Azure users, your sign in must have the following or higher role on the subscription you are connecting:
    • User Access Administrator
    • Contributor
  • To enable Microsoft Defender for Endpoint Collection or Azure Activity logs, your Microsoft Azure sign in must have the following role:
    • Key Vault Secrets Officer
The Terraform process assigns certain permissions to itself to establish the connection with Cloud Accounts and TrendAI Vision One™ cloud security services. These permissions include enabling the Cloud Accounts app and security services to obtain temporary credentials and complete tasks within your Azure cloud environment.
Select a feature to view its required permissions:

Core features

Permission type
Required permissions
Azure Resource Manager (ARM) permissions
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
  • */read
API permissions
  • Azure Active Directory Graph (4)
    • Directory.Read.All | Delegated
    • Directory.Read.All | Application
    • User.Read | Delegated
    • User.Read.All | Delegated
  • Microsoft Graph (4)
    • Directory.Read.All | Application
    • User.Read | Delegated
    • User.Read.All | Delegated
    • User.Read.All | Application

Server & Workload Protection

Permission category
Required permissions
Subscription permissions
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/providers/read
  • Microsoft.Resources/resources/read
Virtual Machine (VM) permissions
  • Microsoft.Compute/virtualMachines/read
Virtual Machine Scale Set (VMSS) permissions
  • Microsoft.Compute/virtualMachineScaleSets/read
Classic Virtual Machine (VM) permissions
  • Microsoft.ClassicCompute/virtualMachines/read
  • Microsoft.ClassicCompute/domainNames/read
Network permissions
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/virtualNetworks/read
Azure Metadata API permissions
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/locations/read
Authentication and IAM permissions
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read

Cloud Security Posture

Permission category
Required permissions
requiredResourceAccess
  • resourceAppName: Microsoft Graph
  • resourceAccess:
    • name: User.Read
    • type: Delegated
    • name: User.Read.All
    • type: Delegated
    • name: Directory.Read.All
    • type: Application
    • name: User.Read.All
    • type: Application
    • name: Policy.Read.All
    • type: Application
requiredRoleAccess
  • resourceAppName: Microsoft App Configuration
    roleActions:
    • name: Microsoft.AppConfiguration/configurationStores/ListKeyValue/action
  • resourceAppName: Microsoft Network
    roleActions:
    • name: Microsoft.Network/networkWatchers/queryFlowLogStatus/action
  • resourceAppName: Microsoft Web
    roleActions:
    • name: Microsoft.Web/sites/config/list/Action
  • resourceAppName: Microsoft Key Vault
    dataActions:
    • name: Microsoft.KeyVault/vaults/keys/read
    • name: Microsoft.KeyVault/vaults/secrets/readMetadata/action
requiredTenantScopeRoleAccess
  • resourceAppName: Microsoft Management
    roleActions:
    • name: Microsoft.Management/managementGroups/read

Agentless Vulnerability & Threat Detection

Permission category
Required permissions
Azure Resource Manager (ARM) permissions
  • Microsoft.ContainerRegistry/registries/generateCredentials/action
  • Microsoft.ContainerRegistry/registries/read
  • Microsoft.ContainerRegistry/registries/pull/read
  • Microsoft.ContainerRegistry/registries/tokens/write
  • Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
  • Microsoft.ContainerRegistry/registries/scopeMaps/read
  • Microsoft.ContainerRegistry/registries/tokens/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines//read
  • Microsoft.HybridCompute/machines//read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Quota/quotas/read
TrendAI™ Resource Group permissions
Azure built-in role: Contributor
  • Actions:
    • Allow Actions:*
  • NotActions:
    • Microsoft.Authorization/*/Delete
    • Microsoft.Authorization/*/Write
    • Microsoft.Authorization/elevateAccess/Action
    • Microsoft.Blueprint/blueprintAssignments/write
    • Microsoft.Blueprint/blueprintAssignments/delete
    • Microsoft.Compute/galleries/share/action
    • Microsoft.Purview/consents/write
    • Microsoft.Purview/consents/delete
    • Microsoft.Resources/deploymentStacks/manageDenySetting/action
    • Microsoft.Subscription/cancel/action
    • Microsoft.Subscription/enable/action
Azure built-in role: AcrPull
  • Microsoft.ContainerRegistry/registries/pull/read
Azure built-in role: Storage Blob Data Owner
  • Microsoft.Storage/storageAccounts/blobServices/containers/*
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
TrendAI™ Storage ID permissions
Azure built-in role: Storage Blob Data Reader
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Data Security Posture

Permission type
Required permissions
Azure Resource Manager (ARM) permissions
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/write
  • Microsoft.Network/networkSecurityGroups/delete
  • Microsoft.Network/networkSecurityGroups/securityRules/read
  • Microsoft.Network/networkSecurityGroups/securityRules/write
  • Microsoft.Network/networkSecurityGroups/securityRules/delete
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.Automation/automationAccounts/read
  • Microsoft.Automation/automationAccounts/write
  • Microsoft.Automation/automationAccounts/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Automation/automationAccounts/webhooks/read
  • Microsoft.Automation/automationAccounts/webhooks/write
  • Microsoft.Automation/automationAccounts/webhooks/delete
  • Microsoft.Insights/actionGroups/read
  • Microsoft.Insights/actionGroups/write
  • Microsoft.Insights/actionGroups/delete
  • Microsoft.Automation/automationAccounts/python3Packages/read
  • Microsoft.Automation/automationAccounts/python3Packages/write
  • Microsoft.Automation/automationAccounts/python3Packages/delete
  • Microsoft.Automation/automationAccounts/runbooks/read
  • Microsoft.Automation/automationAccounts/runbooks/write
  • Microsoft.Automation/automationAccounts/runbooks/delete
  • Microsoft.Automation/automationAccounts/jobSchedules/read
  • Microsoft.Automation/automationAccounts/jobSchedules/write
  • Microsoft.Automation/automationAccounts/jobSchedules/delete
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/publicIPAddresses/write
  • Microsoft.Network/publicIPAddresses/delete
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/write
  • Microsoft.Network/virtualNetworks/subnets/delete
  • Microsoft.Network/virtualNetworks/subnets/join/action
  • Microsoft.Network/bastionHosts/read
  • Microsoft.Network/bastionHosts/write
  • Microsoft.Network/bastionHosts/delete

File Storage Security

Permission type
Required permissions
Azure Resource Manager (ARM) permissions
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleDefinitions/read
  • Microsoft.Authorization/roleDefinitions/write
  • Microsoft.Authorization/roleDefinitions/delete
  • Microsoft.EventGrid/eventSubscriptions/read
  • Microsoft.EventGrid/eventSubscriptions/write
  • Microsoft.EventGrid/eventSubscriptions/delete
  • Microsoft.EventGrid/systemTopics/read
  • Microsoft.EventGrid/systemTopics/write
  • Microsoft.EventGrid/systemTopics/delete
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/read
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/write
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/delete
  • Microsoft.Insights/components/read
  • Microsoft.Insights/components/write
  • Microsoft.Insights/components/delete
  • Microsoft.Insights/components/currentbillingfeatures/read
  • Microsoft.Insights/components/currentbillingfeatures/write
  • Microsoft.KeyVault/locations/deletedVaults/purge/action
  • Microsoft.KeyVault/locations/operationResults/read
  • Microsoft.KeyVault/vaults/read
  • Microsoft.KeyVault/vaults/write
  • Microsoft.KeyVault/vaults/delete
  • Microsoft.KeyVault/vaults/accessPolicies/write
  • Microsoft.ManagedIdentity/userAssignedIdentities/read
  • Microsoft.ManagedIdentity/userAssignedIdentities/write
  • Microsoft.ManagedIdentity/userAssignedIdentities/delete
  • Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
  • Microsoft.OperationalInsights/workspaces/read
  • Microsoft.OperationalInsights/workspaces/write
  • Microsoft.OperationalInsights/workspaces/delete
  • Microsoft.Resources/deployments/read
  • Microsoft.Resources/deployments/write
  • Microsoft.Resources/deployments/delete
  • Microsoft.Resources/deployments/operations/read
  • Microsoft.Resources/deployments/operationstatuses/read
  • Microsoft.Resources/resources/read
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.ServiceBus/namespaces/read
  • Microsoft.ServiceBus/namespaces/write
  • Microsoft.ServiceBus/namespaces/delete
  • Microsoft.ServiceBus/namespaces/networkRuleSets/read
  • Microsoft.ServiceBus/namespaces/queues/read
  • Microsoft.ServiceBus/namespaces/queues/write
  • Microsoft.ServiceBus/namespaces/queues/delete
  • Microsoft.ServiceBus/namespaces/topics/read
  • Microsoft.ServiceBus/namespaces/topics/write
  • Microsoft.ServiceBus/namespaces/topics/delete
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/read
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/write
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/delete
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/read
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/write
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/delete
  • Microsoft.Storage/register/action
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/write
  • Microsoft.Storage/storageAccounts/delete
  • Microsoft.Storage/storageAccounts/listKeys/action
  • Microsoft.Storage/storageAccounts/blobServices/read
  • Microsoft.Storage/storageAccounts/blobServices/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/containers/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/delete
  • Microsoft.Storage/storageAccounts/fileServices/read
  • Microsoft.Storage/storageAccounts/fileServices/write
  • Microsoft.Web/serverfarms/read
  • Microsoft.Web/serverfarms/write
  • Microsoft.Web/serverfarms/delete
  • Microsoft.Web/sites/read
  • Microsoft.Web/sites/write
  • Microsoft.Web/sites/delete
  • Microsoft.Web/sites/basicPublishingCredentialsPolicies/read
  • Microsoft.Web/sites/basicPublishingCredentialsPolicies/write
  • Microsoft.Web/sites/config/read
  • Microsoft.Web/sites/config/write
  • Microsoft.Web/sites/config/list/Action
  • Microsoft.Web/sites/functions/read
  • Microsoft.Web/sites/functions/listkeys/action
  • Microsoft.Web/sites/host/listkeys/Action
  • Microsoft.Web/sites/publishxml/read
Data actions
  • Microsoft.KeyVault/vaults/secrets/*
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action

Cloud Detections for Azure Activity Log

Permission type
Required permissions
No required permissions.

Microsoft Defender for Endpoint Log Collection

Permission type
Required permissions
Azure Resource Manager (ARM) permissions
  • Microsoft.KeyVault/vaults/secrets/read
  • Microsoft.KeyVault/vaults/secrets/write