Views:
Review the permissions required to deploy resources and the permissions granted when connecting Azure cloud accounts to Trend Vision One.

Azure Required Permissions

Feature
Required permissions
Description
Core features
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
  • */read
These permissions are required to deploy the connector into a cloud account.
Server & Workload Protection
Subscription permissions:
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/providers/read
  • Microsoft.Resources/resources/read
 
Virtual Machine (VM) permissions:
  • Microsoft.Compute/virtualMachines/read
 
Virtual Machine Scale Set (VMSS) permissions:
  • Microsoft.Compute/virtualMachineScaleSets/read
 
Classic Virtual Machine (VM) permissions:
  • Microsoft.ClassicCompute/virtualMachines/read
  • Microsoft.ClassicCompute/domainNames/read
 
Network permissions:
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/virtualNetworks/read
 
Azure Metadata API permissions:
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/locations/read
 
Authentication and IAM permissions:
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
 
Cloud Security Posture
requiredResourceAccess:
  • resourceAppName: Microsoft Graph
  • resourceAccess:
    • name: User.Read
    • type: Delegated
    • name: User.Read.All
    • type: Delegated
    • name: Directory.Read.All
    • type: Application
    • name: User.Read.All
    • type: Application
    • name: Policy.Read.All
    • type: Application
 
requiredRoleAccess
  • resourceAppName: Microsoft App Configuration
    roleActions:
    • name: Microsoft.AppConfiguration/configurationStores/ListKeyValue/action
  • resourceAppName: Microsoft Network
    roleActions:
    • name: Microsoft.Network/networkWatchers/queryFlowLogStatus/action
  • resourceAppName: Microsoft Web
    roleActions:
    • name: Microsoft.Web/sites/config/list/Action
  • resourceAppName: Microsoft Key Vault
    dataActions:
    • name: Microsoft.KeyVault/vaults/keys/read
    • name: Microsoft.KeyVault/vaults/secrets/readMetadata/action
requiredTenantScopeRoleAccess
  • resourceAppName: Microsoft Management
    roleActions:
    • name: Microsoft.Management/managementGroups/read
Agentless Vulnerability & Threat Detection
Subscription permissions:
  • Microsoft.ContainerRegistry/registries/generateCredentials/action
  • Microsoft.ContainerRegistry/registries/read
  • Microsoft.ContainerRegistry/registries/pull/read
  • Microsoft.ContainerRegistry/registries/tokens/write
  • Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
  • Microsoft.ContainerRegistry/registries/scopeMaps/read
  • Microsoft.ContainerRegistry/registries/tokens/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines//read
  • Microsoft.HybridCompute/machines//read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Quota/quotas/read
 
Trend Micro Resource Group permissions
Azure built-in role: Contributor
  • Actions:
    • Allow Actions:*
  • NotActions:
    • Microsoft.Authorization/*/Delete
    • Microsoft.Authorization/*/Write
    • Microsoft.Authorization/elevateAccess/Action
    • Microsoft.Blueprint/blueprintAssignments/write
    • Microsoft.Blueprint/blueprintAssignments/delete
    • Microsoft.Compute/galleries/share/action
    • Microsoft.Purview/consents/write
    • Microsoft.Purview/consents/delete
    • Microsoft.Resources/deploymentStacks/manageDenySetting/action
    • Microsoft.Subscription/cancel/action
    • Microsoft.Subscription/enable/action
Azure built-in role: AcrPull
  • Microsoft.ContainerRegistry/registries/pull/read
Azure built-in role: Storage Blob Data Owner
  • Microsoft.Storage/storageAccounts/blobServices/containers/*
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
Trend Micro Storage ID permissions
Azure built-in role: Storage Blob Data Reader
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Cloud Detections for Azure Activity Log
N/A
 
Microsoft Defender for Endpoint Log Collection
  • Microsoft.KeyVault/vaults/secrets/read
  • Microsoft.KeyVault/vaults/secrets/write