Azure Required Permissions
- 21 Jul 2024
- 6 Minutes to read
- Print
- PDF
Azure Required Permissions
- Updated on 21 Jul 2024
- 6 Minutes to read
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Roles and Permissions
Below is a list of the roles Prisma Cloud DSPM uses to access your Azure environment and the permissions they have. Permissions are used to access different types of data, or perform actions such as creating/deleting virtual machines (VMs), exporting snapshots, etc.
IMPORTANT
If your Azure subscription and tenants has any firewall or network restrictions in place, it is imperative to grant access to the following Prisma Cloud DSPM IP addresses. Access must be granted for all subscriptions.
EU Stack: 52.48.123.3, 99.80.210.235, 34.247.249.123
US Stack: 54.225.205.121, 18.214.146.232, 3.93.120.3
Dig-Security-Reader-Role
Used as a read-only access to your environment, this role enables Prisma Cloud DSPM to:
Access your assets’ metadata such as size, name and region
Collect activity logs for DDR capabilities
This role is installed on every subscription monitored by Prisma Cloud DSPM using the enterprise application, allowing us to detect and protect your assets. Prisma Cloud DSPM's own environment performs the read-only API calls.
Permissions
Permission | Scope | Purpose |
|---|---|---|
Microsoft.CognitiveServices/*/read | Monitored subscription | Discovery of OpenAI resources and other Azure AI services |
Microsoft.Web/sites/config/list/action | Monitored subscription | Discovery and Risk assessment of Azure Web App |
*/read | Monitored subscription | Read-only access, used to get metadata of all managed data assets in the subscription |
Microsoft.EventHub/*/receive/action | Monitored subscription | Reading activity logs from Dig-Security event hub |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | Monitored subscription | Reading metadata from tables |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Monitored subscription | Getting SAS token of blobServices to enable access |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Monitored subscription | Reading metadata from blobs |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Monitored subscription | Reading metadata from file shares |
Dig-Security-Scanner-Role
This role is installed on all the scanned (monitored) subscriptions in your environment. It can be used only by a local managed identity in your subscription. This enables Prisma Cloud DSPM to detect and scan data for analysis and classification.
All sensitive data that is detected, scanned and classified by Prisma Cloud DSPM’s resources never leaves the client's environment.
Permissions
Permission | Scope | Purpose |
|---|---|---|
Microsoft.CognitiveServices/*/action | Prisma Cloud DSPM’s resource group | Reading and scanning OpenAI files and other Azure AI data resources |
Microsoft.Insights/alertRules/* | Prisma Cloud DSPM's resource group | Getting metrics on Prisma Cloud DSPM resources |
Microsoft.Insights/diagnosticSettings/* | Prisma Cloud DSPM's resource group | Getting metrics on Prisma Cloud DSPM resources |
Microsoft.Network/privateEndpoints/write | Prisma Cloud DSPM's resource group | Creating private endpoints |
Microsoft.Network/privateEndpoints/delete | Prisma Cloud DSPM's resource group | Deleting private endpoints |
Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write | Prisma Cloud DSPM's resource group | Creating private DNS zones |
Microsoft.Network/privateDnsZones/join/action | Prisma Cloud DSPM's resource group | Assigning private endpoint to DNS zones |
Microsoft.Network/virtualNetworks/subnets/join/action | Prisma Cloud DSPM's resource group | Assigning a private endpoint to a virtual network |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Prisma Cloud DSPM's resource group | Assigning a private endpoint to a virtual network |
Microsoft.Resources/deployments/* | Prisma Cloud DSPM's resource group | Monitoring deployments |
Microsoft.Storage/storageAccounts/blobServices/containers/delete | Prisma Cloud DSPM's resource group | Deleting old blobs in the audit storage account |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Monitored subscription | Scanning blobs |
Microsoft.Storage/storageAccounts/blobServices/containers/write | Prisma Cloud DSPM's resource group | Creating new containers in the audit storage account |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Prisma Cloud DSPM's resource group | Deleting blobs in the audit storage account |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Prisma Cloud DSPM's resource group | Getting access SAS token to the storage account |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Prisma Cloud DSPM's resource group | Reading blobs in the audit storage account |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Prisma Cloud DSPM's resource group | Writing logs and reports in the audit storage account |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | Prisma Cloud DSPM's resource group | Editing logs and reports in the audit storage account |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | Prisma Cloud DSPM's resource group | Editing logs and reports in the audit storage account |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Monitored subscription | Scanning file shares |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | Monitored subscription | Scanning tables |
Microsoft.Storage/storageAccounts/tableServices/tables/read | Monitored subscription | Reading metadata from tables |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Monitored subscription | Getting the SAS token of blobServices to enable access |
Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action | Monitored subscription | Enabling a scan by assigning private endpoints to a storage account located in a private network |
Microsoft.Storage/storageAccounts/listKeys/action | Monitored subscription | Getting access key to the storage account to scan file share instances using API |
Microsoft.Storage/storageAccounts/ListAccountSas/action | Monitored subscription | Getting access SAS token to the storage account to scan file share instances using API |
Microsoft.Storage/storageAccounts/* | Prisma Cloud DSPM's resource group | Creating audit storage accounts |
*/read | Monitored subscription | Read-only access, used to get metadata of all managed data assets in the subscription |
Dig-Security-Subscription-Orchestrator-Role
These permissions are installed on all monitored subscriptions in your environment. This role enables Prisma Cloud DSPM to classify and scan data assets and analyze them in Prisma Cloud DSPM's resource group.
All sensitive data that is detected, scanned and classified by Prisma Cloud DSPM's resources never leaves the client's environment.
Permissions
Permission | Scope | Purpose |
|---|---|---|
Microsoft.Sql/servers/databases/write | Monitored subscription | Used for copying SQL databases to Prisma Cloud DSPM's resource group, enabling Prisma Cloud DSPM to connect and scan it |
Microsoft.documentdb/databaseaccounts/PrivateEndpointConnectionsApproval/action | Monitored subscription | Used for creating a private endpoint |
Microsoft.Sql/managedInstances/databases/readBackups/action | Monitored subscription | Used for reading and classifying SQL Managed Instances from backups |
Microsoft.Sql/managedInstances/databases/write | Monitored subscription | Used for creating copies of SQL Managed Instances for classification |
Dig-Security-Orchestrator-Role
These permissions are installed on all monitored subscriptions in your environment. This role is used for deploying Prisma Cloud DSPM's compute resources (VMs) that scan and analyze the monitored subscription. Each VM is assigned with scanner permissions so that it can access, scan and analyze the data.
All sensitive data that is detected, scanned and classified by Prisma Cloud DSPM’s resources never leaves the client's environment.
Permissions
Permission | Scope | Purpose |
|---|---|---|
Microsoft.Network/networkSecurityGroups/securityRules/write | Prisma Cloud DSPM's resource group | Modifying the Network Security Group (NSG) to establish an outgoing connection over SMB (port 445) with on-prem file shares for classification purposes |
Microsoft.Authorization/locks/* | Prisma Cloud DSPM's resource group | Adding locks to Prisma Cloud DSPM's resources |
Microsoft.Compute/disks/beginGetAccess/action | Prisma Cloud DSPM's resource group | Enabling access to the disk data for creating disks from snapshots |
Microsoft.Compute/disks/delete | Prisma Cloud DSPM's resource group | Deleting created disks |
Microsoft.Compute/disks/write | Prisma Cloud DSPM's resource group | Creating and modifying snapshots of the scanned disks |
Microsoft.Compute/snapshots/delete | Prisma Cloud DSPM's resource group | Deleting scanned snapshots |
Microsoft.Compute/snapshots/write | Prisma Cloud DSPM's resource group | Creating and modifying snapshots for scanning |
Microsoft.Compute/virtualMachines/delete | Prisma Cloud DSPM's resource group | Deleting scanner virtual machines (VMs) |
Microsoft.Compute/virtualMachines/write | Prisma Cloud DSPM's resource group | Creating and modifying VMs and attaching disks |
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action | Prisma Cloud DSPM's resource group | Assigning a managed identity to the created VM |
Microsoft.Network/natGateways/join/action | Prisma Cloud DSPM's resource group | Associating NAT gateways with the created VMs |
Microsoft.Network/natGateways/write | Prisma Cloud DSPM's resource group | Creating and modifying NAT gateways |
Microsoft.Network/natGateways/delete | Prisma Cloud DSPM's resource group | Deleting NAT gateways |
Microsoft.Network/networkInterfaces/delete | Prisma Cloud DSPM's resource group | Deleting created network interfaces |
Microsoft.Network/networkInterfaces/join/action | Prisma Cloud DSPM's resource group | Associating the created network interface with a virtual machine |
Microsoft.Network/networkInterfaces/delete | Prisma Cloud DSPM's resource group | Deleting network interfaces |
Microsoft.Network/networkInterfaces/write | Prisma Cloud DSPM's resource group | Creating and modifying network interfaces to ensure that the created VMs have outbound internet access |
Microsoft.Network/networkSecurityGroups/delete | Prisma Cloud DSPM's resource group | Deleting created security groups |
Microsoft.Network/networkSecurityGroups/join/action | Prisma Cloud DSPM's resource group | Associating the created security group with a subnet or network interface |
Microsoft.Network/networkSecurityGroups/delete | Prisma Cloud DSPM's resource group | Deleting Prisma Cloud DSPM's security groups |
Microsoft.Network/networkSecurityGroups/write | Prisma Cloud DSPM's resource group | Creating and modifying security groups to ensure that Prisma Cloud DSPM's VMs cannot be reached and secured |
Microsoft.Network/publicIPAddresses/join/action | Prisma Cloud DSPM's resource group only | Associating the created public IP |
Microsoft.Network/publicIPAddresses/write | Prisma Cloud DSPM's resource group only | Creating and modifying the public IP addres |
Microsoft.Network/publicIPAddresses/delete | Prisma Cloud DSPM's resource group only | Deleting the public IP address |
Microsoft.Network/virtualNetworks/delete | Prisma Cloud DSPM's resource group | Deleting created virtual networks |
Microsoft.Network/virtualNetworks/subnets/join/action | Prisma Cloud DSPM's resource group | Associating virtual networks with the created VMs |
Microsoft.Network/virtualNetworks/subnets/write | Prisma Cloud DSPM's resource group only | Creating and modifying subnets inside the virtual network |
Microsoft.Network/virtualNetworks/write | Prisma Cloud DSPM's resource group | Creating and modifying a virtual network so that the created virtual machines |
Microsoft.Resources/deployments/write | Prisma Cloud DSPM's resource group | Deploying resources to a resource group |
Microsoft.Resources/subscriptions/resourceGroups/write | Prisma Cloud DSPM's resource group | Creating resources in a resource group |
Microsoft.Network/natGateways/join/action | Prisma Cloud DSPM's resource group | Joining a NAT gateway to virtual network |
Microsoft.Network/privateEndpoints/delete | Prisma Cloud DSPM's resource group | Deleting unused private endpoints |
Microsoft.Storage/storageAccounts/delete | Prisma Cloud DSPM's resource group | Deleting an audit storage account |
Microsoft.Storage/storageAccounts/write | Prisma Cloud DSPM's resource group | Creating an audit storage account |
Microsoft.Storage/storageAccounts/blobServices/write | Prisma Cloud DSPM's resource group | Writing data into the audit storage account |
Microsoft.Storage/storageAccounts/blobServices/containers/write | Prisma Cloud DSPM's resource group | Creating containers in the audit storage account |
Microsoft.Sql/servers/write | Prisma Cloud DSPM's resource group | Creating and managing Prisma Cloud DSPM's Azure SQL server in the orchestrator resource group |
Microsoft.Sql/servers/delete | Prisma Cloud DSPM's resource group | Cleaning stale assets such as Prisma Cloud DSPM's Azure SQL server - only in the Orchestrator resource group |
Microsoft.Sql/servers/read | Prisma Cloud DSPM's resource group | Getting configurations on Prisma Cloud DSPM's Azure SQL server - only in the Orchestrator resource group |
Microsoft.Sql/servers/virtualNetworkRules/* | Prisma Cloud DSPM's resource group | Configuring network accessibility from the scanning VMs on Prisma Cloud DSPM's Azure SQL server - only in the Orchestrator resource group |
Microsoft.Sql/servers/databases/move/action | Prisma Cloud DSPM's resource group | Creating and managing Prisma Cloud DSPM's Azure SQL databases in the Orchestrator resource group |
Microsoft.Sql/servers/databases/delete | Prisma Cloud DSPM's resource group | Cleaning stale assets such as Prisma Cloud DSPM's Azure SQL databases - only in the Orchestrator resource group |
Microsoft.Sql/servers/databases/write | Prisma Cloud DSPM's resource group | Copying and managing SQL databases in Prisma Cloud DSPM's Azure SQL server in the Orchestrator resource group |
Microsoft.Sql/servers/databases/read | Prisma Cloud DSPM's resource group | Getting configurations on Prisma Cloud DSPM's Azure SQL databases - only in the Orchestrator resource group |
Was this article helpful?