: VM-Series on Azure Service Principal Permissions
Focus
Focus

VM-Series on Azure Service Principal Permissions

Table of Contents

VM-Series on Azure Service Principal Permissions

Review the granular permissions for the Service Principal for VM-Series integrations
For Panorama to interact with the Azure APIs and collect information on your workloads, you need to create an Azure Active Directory application and a Service Principal that has the permissions required to authenticate with Azure AD and access the resources within your subscription.
To create the Active Directory application and Service Principal, follow the instructions in How to: Use the portal to create an Azure AD application and service principal that can access resources. During the application generation process, there is a step to "Assign application to role" and assign an IAM role of "reader" to the application.
If you don't have the necessary permissions to create and register the AD application, ask your Azure AD or subscription administrator to create a Service Principal.
After the application has been registered, record these values so you can enter them in the Panorama plugin for Azure at a later time:
  • Application ID
  • Secret Key (record it when you make the secret key; the secret key is not visible once you navigate away from the page).
  • Tenant ID

Permissions

The following table lists the minimum built-in roles required and the granular permissions if you would like to customize the role.
To supportPermissions
Azure High Availability
Azure Application Insights
“Microsoft.Authorization/*/read”,
“Microsoft.Network/networkInterfaces/*”,
“Microsoft.Network/networkSecurityGroups/*”,
“Microsoft.Network/virtualNetworks/*”,
“Microsoft.Compute/virtualMachines/read”
Azure Monitoring
Requires a minimum Role of Reader for Service Principal. Alternatively, you can add the following custom permissions:
“Microsoft.Compute/virtualMachines/read”,
“Microsoft.Network/networkInterfaces/read”,
“Microsoft.Network/virtualNetworks/read”,
“Microsoft.Network/virtualNetworks/subnets/read”,
“Microsoft.Network/applicationGateways/read”,
“Microsoft.Network/locations/serviceTags/read”,
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Resources/subscriptions/resourcegroups/read"
Panorama Orchestrated Deployments
“Microsoft.Resources/subscriptions/resourcegroups/*”,
“Microsoft.Resources/deployments/write”,
“Microsoft.Resources/deployments/operationStatuses/read”,
“Microsoft.Resources/deployments/read”,
“Microsoft.Resources/deployments/delete”
"Microsoft.Network/publicIPPrefixes/write",
"Microsoft.Network/publicIPPrefixes/read",
"Microsoft.Network/publicIPPrefixes/delete",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/natGateways/write",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/natGateways/delete",
"Microsoft.Network/natGateways/join/action",
 
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/loadBalancers/write",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
"Microsoft.Network/locations/serviceTags/read",
"Microsoft.Network/applicationGateways/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/delete",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/images/read",
"Microsoft.insights/components/write",
"Microsoft.insights/components/read",
"Microsoft.insights/components/delete",
 
"Microsoft.insights/autoscalesettings/write"