Azure IAM Roles

You need to create a custom role that will be assigned to the application created for the Multicloud Defense Controller. The custom role gives the application permissions to read inventory information and create resources such as VMs, load balancers. The custom role can be created in multiple ways. One of the easiest ways is to navigate to your subscription and click Access Control (IAM).

When you add a custom role, you need to name the role and edit the JSON file. This file addresses all of the permissions required to allow communication and data transfer between the sbuscription and the Multicloud Defense Controller. The following list are all the required permissions for this:

"Microsoft.ApiManagement/service/*", 
"Microsoft.Compute/disks/*", 
"Microsoft.Compute/images/read", 
"Microsoft.Compute/sshPublicKeys/read", 
"Microsoft.Compute/virtualMachines/*", 
"Microsoft.ManagedIdentity/userAssignedIdentities/read", 
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", 
"Microsoft.Network/loadBalancers/*", 
"Microsoft.Network/natGateways/*", 
"Microsoft.Network/networkinterfaces/*", 
"Microsoft.Network/networkSecurityGroups/*", 
"Microsoft.Network/publicIPAddresses/*", 
"Microsoft.Network/routeTables/*", 
"Microsoft.Network/virtualNetworks/*", 
"Microsoft.Network/virtualNetworks/subnets/*", 
"Microsoft.Resources/subscriptions/resourcegroups/*", 
"Microsoft.Storage/storageAccounts/blobServices/*", 
"Microsoft.Storage/storageAccounts/listkeys/action", 
"Microsoft.Network/networkWatchers/*", 
"Microsoft.Network/applicationSecurityGroups/*",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Insights/Metrics/Read"