Why would Prisma Cloud require action permissions on Azure resources?

1. What does action permission do for read operations?
2. Why would Prisma Cloud require action permissions on Azure resources?

• "Microsoft.Storage/storageAccounts/listKeys/action",
• "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action",
• "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
• "Microsoft.Network/networkInterfaces/effectiveRouteTable/action",
• "Microsoft.Network/networkWatchers/securityGroupView/action",
• "Microsoft.Network/virtualwans/vpnconfiguration/action",
• "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
• "Microsoft.DocumentDB/databaseAccounts/listKeys/action",
• "Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action",
• "Microsoft.Web/sites/config/list/action"

• Prisma Cloud Saas
• Azure Cloud Account
• Flow logs

Please find information below on why the permissions are necessary.
Please note that these are still read operations only and are not mutate operations.

• "Microsoft.Storage/storageAccounts/listKeys/action"

To access blob data with the account access key, you must have an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action.

• "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action"

Get the connection strings for a database account

• "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action"

Reads the database account readonly keys.

• "Microsoft.Network/networkInterfaces/effectiveRouteTable/action"

Get network interface effective route table

• "Microsoft.Network/networkWatchers/securityGroupView/action"

View security groups

• "Microsoft.Network/virtualwans/vpnconfiguration/action"

Gets a Vpn Configuration

• "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action"

Gets the configuration of service URI and custom headers for the webhook.

• "Microsoft.DocumentDB/databaseAccounts/listKeys/action"

List keys of a database account

• "Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action"

Get network interface effective security groups

• "Microsoft.Web/sites/config/list/action"

List Web App's security sensitive settings, such as publishing credentials, app settings and connection strings.

• "Microsoft.ContainerInstance/containerGroups/containers/exec/action"

Exec into a specific container

This permission is needed for compute workload discovery. These permissions are used by different components of Prisma Cloud CSPM/ CWP and CIEM/ Code Security parts of the Prisma Platform.

Azure requires these permission on Custom roles to allow access to assets and they should have action permission added:
For example: Azure role-based access control in Azure Cosmos DB

Custom roles that need to access data stored within Azure Cosmos DB or use Data Explorer in the Azure portal must have Microsoft.DocumentDB/databaseAccounts/listKeys/* action.

Microsoft.Storage/storageAccounts/listKeys/action is required to secure access the storage account: Azure RBAC permissions - Azure Network Watcher

To View Security Group Azure required the role to have this permission:  Microsoft.Network/networkWatchers/securityGroupView/action Azure RBAC permissions - Azure Network Watcher
Therefore all these missing permission that you see are required for Prisma to access for discovery.