Views:

Review the permissions required to deploy resources and the permissions granted during the terraform process.

The following permissions are required to be able to successfully deploy Trend Vision One cloud security resources to your subscription.
  • For Microsoft Entra ID users, your sign in must have the following roles:
    • Application Administrator
    • Privileged Role Administrator
  • For Microsoft Azure users, your sign in must have the following or higher role on the subscription you are connecting:
    • User Access Administrator
  • To enable Microsoft Defender for Endpoint Collection or Azure Activity logs, your Microsoft Azure sign in must have the following role:
    • Key Vault Secrets Officer
The terraform process assigns certain permissions to itself to establish the connection with Cloud Accounts and Trend Vision One cloud security services. These permissions include enabling the Cloud Accounts app and security services to obtain temporary credentials and complete tasks within your Azure cloud environment.

Azure Required Permissions

Feature
Service
Required Permissions
Core Features
Azure
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
  • */read
Agentless Vulnerability & Threat Detection
Azure
Subscription-level permissions
  • Microsoft.ContainerRegistry/registries/generateCredentials/action
  • Microsoft.ContainerRegistry/registries/read
  • Microsoft.ContainerRegistry/registries/pull/read
  • Microsoft.ContainerRegistry/registries/tokens/write
  • Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
  • Microsoft.ContainerRegistry/registries/scopeMaps/read
  • Microsoft.ContainerRegistry/registries/tokens/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines//read
  • Microsoft.HybridCompute/machines//read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Quota/quotas/read
Trend Micro resource group-level permissions
Azure defined role: Contributor
  • Allow Actions: *
  • Microsoft.Authorization/*/Delete
  • Microsoft.Authorization/*/Write
  • Microsoft.Authorization/elevateAccess/Action
  • Microsoft.Blueprint/blueprintAssignments/write
  • Microsoft.Blueprint/blueprintAssignments/delete
  • Microsoft.Compute/galleries/share/action
  • Microsoft.Purview/consents/write
  • Microsoft.Purview/consents/delete
  • Microsoft.Resources/deploymentStacks/manageDenySetting/action
  • Microsoft.Subscription/cancel/action
  • Microsoft.Subscription/enable/action
Azure defined role: AcrPull
  • Microsoft.ContainerRegistry/registries/pull/read
Azure defined role: Storage Blob Data Owner
  • Microsoft.Storage/storageAccounts/blobServices/containers/*
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
Trend Micro Storage ID-level permissions
Azure defined role: Storage Blob Data Reader
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read