檢視次數:

Azure 訂閱所需的權限 上層主題

檢閱將資源部署和連接 Azure 訂閱到 Trend Vision One 時所需的必要的權限和授予的權限。
以下權限是成功部署 Trend Vision One Cloud Security 資源到您的訂閱所需的。
  • 對於 Microsoft Entra ID 使用者,您的登入必須具備以下角色:
    • 應用程式管理員
    • 特權角色管理員
  • 對於 Microsoft Azure 使用者,您登入的帳戶在您所連接的訂閱中必須具有以下或更高的角色:
    • 使用者存取管理員
    • 貢獻者
  • 若要啟用 Microsoft Defender 端點收集或 Azure 活動記錄,您的 Microsoft Azure 登入必須具備以下角色:
    • 密碼保險箱機密管理員
Terraform 程序會指派某些權限給自身,以建立與 Cloud Accounts 和 Trend Vision One 雲端安全服務的連接。這些權限包括啟用 Cloud Accounts 應用程式和安全服務,以獲取臨時憑證並在您的 Azure 雲端環境中完成任務。

Azure 所需權限

功能
所需權限
核心功能
Azure Resource Manager (ARM) permissions:
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
  • */read
API Permissions:
  • Azure Active Directory Graph (4)
    • Directory.Read.All | 委派
    • Directory.Read.All | 應用程式
    • User.Read | 委派
    • User.Read.All | 委派
  • Microsoft Graph (4)
    • Directory.Read.All | 應用程式
    • User.Read | 委派
    • User.Read.All | 委派
    • User.Read.All | 應用程式
Server & Workload Protection
訂閱權限:
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/providers/read
  • Microsoft.Resources/resources/read
虛擬機器 (VM) 權限:
  • Microsoft.Compute/virtualMachines/read
虛擬機器規模設定 (VMSS) 權限:
  • Microsoft.Compute/virtualMachineScaleSets/read
經典虛擬機 (VM) 權限:
  • Microsoft.ClassicCompute/virtualMachines/read
  • Microsoft.ClassicCompute/domainNames/read
網路權限:
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/virtualNetworks/read
Azure 中繼資料 API 權限:
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/locations/read
驗證和 IAM 權限:
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
Cloud Security Posture
requiredResourceAccess:
  • resourceAppName: Microsoft Graph
  • 資源存取:
    • 名稱:User.Read
    • 類型: Delegated
    • 名稱:User.Read.All
    • 類型: Delegated
    • 名稱:Directory.Read.All
    • 類型: Application
    • 名稱:User.Read.All
    • 類型: Application
    • 名稱: Policy.Read.All
    • 類型: Application
requiredRoleAccess
  • resourceAppName: Microsoft App Configuration
    角色操作:
    • 名稱:Microsoft.AppConfiguration/configurationStores/ListKeyValue/action
  • resourceAppName: Microsoft Network
    角色操作:
    • 名稱:Microsoft.Network/networkWatchers/queryFlowLogStatus/action
  • resourceAppName: Microsoft Web
    角色操作:
    • 名稱:Microsoft.Web/sites/config/list/Action
  • resourceAppName: Microsoft Key Vault
    資料操作:
    • 名稱:Microsoft.KeyVault/vaults/keys/read
    • 名稱:Microsoft.KeyVault/vaults/secrets/readMetadata/action
requiredTenantScopeRoleAccess
  • resourceAppName: Microsoft Management
    角色操作:
    • 名稱:Microsoft.Management/managementGroups/read
無代理弱點與安全威脅偵測
Azure Resource Manager (ARM) permissions:
  • Microsoft.ContainerRegistry/registries/generateCredentials/action
  • Microsoft.ContainerRegistry/registries/read
  • Microsoft.ContainerRegistry/registries/pull/read
  • Microsoft.ContainerRegistry/registries/tokens/write
  • Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
  • Microsoft.ContainerRegistry/registries/scopeMaps/read
  • Microsoft.ContainerRegistry/registries/tokens/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines//read
  • Microsoft.HybridCompute/machines//read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Quota/quotas/read
Trend Micro Resource Group permissions
Azure 內建角色:貢獻者
  • 操作:
    • Allow Actions:*
  • NotActions:
    • Microsoft.Authorization/*/Delete
    • Microsoft.Authorization/*/Write
    • Microsoft.Authorization/elevateAccess/Action
    • Microsoft.Blueprint/blueprintAssignments/write
    • Microsoft.Blueprint/blueprintAssignments/delete
    • Microsoft.Compute/galleries/share/action
    • Microsoft.Purview/consents/write
    • Microsoft.Purview/consents/delete
    • Microsoft.Resources/deploymentStacks/manageDenySetting/action
    • Microsoft.Subscription/cancel/action
    • Microsoft.Subscription/enable/action
Azure 內建角色:AcrPull
  • Microsoft.ContainerRegistry/registries/pull/read
Azure 內建角色:儲存 Blob 資料防護擁有者
  • Microsoft.Storage/storageAccounts/blobServices/containers/*
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
Trend Micro Storage ID permissions
Azure 內建角色:儲存 Blob 資料防護讀取者
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Data Security Posture
Azure Resource Manager (ARM) permissions:
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/write
  • Microsoft.Network/networkSecurityGroups/delete
  • Microsoft.Network/networkSecurityGroups/securityRules/read
  • Microsoft.Network/networkSecurityGroups/securityRules/write
  • Microsoft.Network/networkSecurityGroups/securityRules/delete
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.Automation/automationAccounts/read
  • Microsoft.Automation/automationAccounts/write
  • Microsoft.Automation/automationAccounts/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Automation/automationAccounts/webhooks/read
  • Microsoft.Automation/automationAccounts/webhooks/write
  • Microsoft.Automation/automationAccounts/webhooks/delete
  • Microsoft.Insights/actionGroups/read
  • Microsoft.Insights/actionGroups/write
  • Microsoft.Insights/actionGroups/delete
  • Microsoft.Automation/automationAccounts/python3Packages/read
  • Microsoft.Automation/automationAccounts/python3Packages/write
  • Microsoft.Automation/automationAccounts/python3Packages/delete
  • Microsoft.Automation/automationAccounts/runbooks/read
  • Microsoft.Automation/automationAccounts/runbooks/write
  • Microsoft.Automation/automationAccounts/runbooks/delete
  • Microsoft.Automation/automationAccounts/jobSchedules/read
  • Microsoft.Automation/automationAccounts/jobSchedules/write
  • Microsoft.Automation/automationAccounts/jobSchedules/delete
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/publicIPAddresses/write
  • Microsoft.Network/publicIPAddresses/delete
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/write
  • Microsoft.Network/virtualNetworks/subnets/delete
  • Microsoft.Network/virtualNetworks/subnets/join/action
  • Microsoft.Network/bastionHosts/read
  • Microsoft.Network/bastionHosts/write
  • Microsoft.Network/bastionHosts/delete
Azure 活動記錄的雲端偵測
無需權限。
Microsoft Defender 端點日誌收集
  • Microsoft.KeyVault/vaults/secrets/read
  • Microsoft.KeyVault/vaults/secrets/write