What are the required roles when onboarding an Azure cloud account?
5100
Created On 03/14/23 07:09 AM - Last Modified 02/10/25 21:10 PM
Question
What are the required roles when onboarding an Azure cloud account?
Environment
- Prisma Cloud
- Azure onboarding
Answer
- If the user doesn't need to ingest and monitor Network Security Group Flow Logs(as below), the built-in role "Reader" and "Reader and DataAccess" is sufficient.
GUI path: Settings > Cloud accounts > Edit Cloud account
- If the user needs to ingest and monitor Network Security Group Flow Logs(selected the check box), since the "Microsoft.Network/networkWatchers/queryFlowLogStatus/*" permission is necessary, the built-in "Network Contributor" role is also needed. Otherwise, this permission can be provided by a custom role.
- If the user enabled the "Remediation" capability when onboarding the account, the built-in "Storage Account Contributor" role is necessary.
Additional Information
Reference:
- Azure Cloud Account Onboarding Checklist
- Add an Azure Subscription on Prisma Cloud
- Register an App on Azure Active Directory
- Note - STEP6 seems all roles necessary