Views:

Azure subscriptions required permissions Parent topic

Review the permissions required to deploy resources and the permissions granted when connecting Azure subscriptions to Trend Vision One.
The following permissions are required to be able to successfully deploy Trend Vision One cloud security resources to your subscription.
  • For Microsoft Entra ID users, your sign in must have the following roles:
    • Application Administrator
    • Privileged Role Administrator
  • For Microsoft Azure users, your sign in must have the following or higher role on the subscription you are connecting:
    • User Access Administrator
    • Contributor
  • To enable Microsoft Defender for Endpoint Collection or Azure Activity logs, your Microsoft Azure sign in must have the following role:
    • Key Vault Secrets Officer
The Terraform process assigns certain permissions to itself to establish the connection with Cloud Accounts and Trend Vision One cloud security services. These permissions include enabling the Cloud Accounts app and security services to obtain temporary credentials and complete tasks within your Azure cloud environment.

Azure required permissions

Feature
Required permissions
Core features
Azure Resource Manager (ARM) permissions:
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
  • */read
API Permissions:
  • Azure Active Directory Graph (4)
    • Directory.Read.All | Delegated
    • Directory.Read.All | Application
    • User.Read | Delegated
    • User.Read.All | Delegated
  • Microsoft Graph (4)
    • Directory.Read.All | Application
    • User.Read | Delegated
    • User.Read.All | Delegated
    • User.Read.All | Application
Server & Workload Protection
Subscription permissions:
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/providers/read
  • Microsoft.Resources/resources/read
Virtual Machine (VM) permissions:
  • Microsoft.Compute/virtualMachines/read
Virtual Machine Scale Set (VMSS) permissions:
  • Microsoft.Compute/virtualMachineScaleSets/read
Classic Virtual Machine (VM) permissions:
  • Microsoft.ClassicCompute/virtualMachines/read
  • Microsoft.ClassicCompute/domainNames/read
Network permissions:
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/virtualNetworks/read
Azure Metadata API permissions:
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/locations/read
Authentication and IAM permissions:
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
Cloud Security Posture
requiredResourceAccess:
  • resourceAppName: Microsoft Graph
  • resourceAccess:
    • name: User.Read
    • type: Delegated
    • name: User.Read.All
    • type: Delegated
    • name: Directory.Read.All
    • type: Application
    • name: User.Read.All
    • type: Application
    • name: Policy.Read.All
    • type: Application
requiredRoleAccess
  • resourceAppName: Microsoft App Configuration
    roleActions:
    • name: Microsoft.AppConfiguration/configurationStores/ListKeyValue/action
  • resourceAppName: Microsoft Network
    roleActions:
    • name: Microsoft.Network/networkWatchers/queryFlowLogStatus/action
  • resourceAppName: Microsoft Web
    roleActions:
    • name: Microsoft.Web/sites/config/list/Action
  • resourceAppName: Microsoft Key Vault
    dataActions:
    • name: Microsoft.KeyVault/vaults/keys/read
    • name: Microsoft.KeyVault/vaults/secrets/readMetadata/action
requiredTenantScopeRoleAccess
  • resourceAppName: Microsoft Management
    roleActions:
    • name: Microsoft.Management/managementGroups/read
Agentless Vulnerability & Threat Detection
Azure Resource Manager (ARM) permissions:
  • Microsoft.ContainerRegistry/registries/generateCredentials/action
  • Microsoft.ContainerRegistry/registries/read
  • Microsoft.ContainerRegistry/registries/pull/read
  • Microsoft.ContainerRegistry/registries/tokens/write
  • Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
  • Microsoft.ContainerRegistry/registries/scopeMaps/read
  • Microsoft.ContainerRegistry/registries/tokens/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines//read
  • Microsoft.HybridCompute/machines//read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Quota/quotas/read
Trend Micro Resource Group permissions
Azure built-in role: Contributor
  • Actions:
    • Allow Actions:*
  • NotActions:
    • Microsoft.Authorization/*/Delete
    • Microsoft.Authorization/*/Write
    • Microsoft.Authorization/elevateAccess/Action
    • Microsoft.Blueprint/blueprintAssignments/write
    • Microsoft.Blueprint/blueprintAssignments/delete
    • Microsoft.Compute/galleries/share/action
    • Microsoft.Purview/consents/write
    • Microsoft.Purview/consents/delete
    • Microsoft.Resources/deploymentStacks/manageDenySetting/action
    • Microsoft.Subscription/cancel/action
    • Microsoft.Subscription/enable/action
Azure built-in role: AcrPull
  • Microsoft.ContainerRegistry/registries/pull/read
Azure built-in role: Storage Blob Data Owner
  • Microsoft.Storage/storageAccounts/blobServices/containers/*
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
Trend Micro Storage ID permissions
Azure built-in role: Storage Blob Data Reader
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Data Security Posture
Azure Resource Manager (ARM) permissions:
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/write
  • Microsoft.Network/networkSecurityGroups/delete
  • Microsoft.Network/networkSecurityGroups/securityRules/read
  • Microsoft.Network/networkSecurityGroups/securityRules/write
  • Microsoft.Network/networkSecurityGroups/securityRules/delete
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.Automation/automationAccounts/read
  • Microsoft.Automation/automationAccounts/write
  • Microsoft.Automation/automationAccounts/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Automation/automationAccounts/webhooks/read
  • Microsoft.Automation/automationAccounts/webhooks/write
  • Microsoft.Automation/automationAccounts/webhooks/delete
  • Microsoft.Insights/actionGroups/read
  • Microsoft.Insights/actionGroups/write
  • Microsoft.Insights/actionGroups/delete
  • Microsoft.Automation/automationAccounts/python3Packages/read
  • Microsoft.Automation/automationAccounts/python3Packages/write
  • Microsoft.Automation/automationAccounts/python3Packages/delete
  • Microsoft.Automation/automationAccounts/runbooks/read
  • Microsoft.Automation/automationAccounts/runbooks/write
  • Microsoft.Automation/automationAccounts/runbooks/delete
  • Microsoft.Automation/automationAccounts/jobSchedules/read
  • Microsoft.Automation/automationAccounts/jobSchedules/write
  • Microsoft.Automation/automationAccounts/jobSchedules/delete
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/publicIPAddresses/write
  • Microsoft.Network/publicIPAddresses/delete
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/write
  • Microsoft.Network/virtualNetworks/subnets/delete
  • Microsoft.Network/virtualNetworks/subnets/join/action
  • Microsoft.Network/bastionHosts/read
  • Microsoft.Network/bastionHosts/write
  • Microsoft.Network/bastionHosts/delete
Cloud Detections for Azure Activity Log
No required permissions.
Microsoft Defender for Endpoint Log Collection
  • Microsoft.KeyVault/vaults/secrets/read
  • Microsoft.KeyVault/vaults/secrets/write