Create a custom role to assign to the Application

The CloudFormation template creates a custom role that will be assigned to the application created for the Multicloud Defense Controller. The custom role gives the application permissions to read inventory information and create resources (e.g., VMs, load balancers, etc.)

There are multiple ways to create a custom role but we recommend the following procedure:

Procedure

Step 1

Navigate to Subscription and click Access Control (IAM).

Step 2

Click on Roles and on the top menu bar navigate to click +Add > Add Custom Role.

Step 3

Give a name to the custom role (e.g., multicloud defense-controller-role).

Step 4

Keep clicking Next until you get to the JSON editing screen.

Step 5

Click Edit on the screen and in the JSON text, under the permissions > actions section, copy and paste the following content between the square brackets (no need to maintain the indentation):


"Microsoft.ApiManagement/service/*", 
"Microsoft.Compute/disks/*", 
"Microsoft.Compute/images/read", 
"Microsoft.Compute/sshPublicKeys/read", 
"Microsoft.Compute/virtualMachines/*", 
"Microsoft.ManagedIdentity/userAssignedIdentities/read", 
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", 
"Microsoft.Network/loadBalancers/*", 
"Microsoft.Network/natGateways/*", 
"Microsoft.Network/networkinterfaces/*", 
"Microsoft.Network/networkSecurityGroups/*", 
"Microsoft.Network/publicIPAddresses/*", 
"Microsoft.Network/routeTables/*", 
"Microsoft.Network/virtualNetworks/*", 
"Microsoft.Network/virtualNetworks/subnets/*", 
"Microsoft.Resources/subscriptions/resourcegroups/*", 
"Microsoft.Storage/storageAccounts/blobServices/*", 
"Microsoft.Storage/storageAccounts/listkeys/action", 
"Microsoft.Network/networkWatchers/*", 
"Microsoft.Network/applicationSecurityGroups/*",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Insights/Metrics/Read"

Step 6

Optional - If you plan to use multiple subscriptions with Multicloud Defense, you must edit the JSON at assignableScopes to add another subscription line or change it to * (star) so the custom role can be used with all subscriptions.

Step 7

Click Save at the top of the text box.

Step 8

Click Review + Create and create the role.

Step 9

Once the custom role is created return to Access Control (IAM).

Step 10

On the top menu bar, click Add > Add role assignment.

Step 11

In the Role dropdown, select the custom role created above.

Step 12

In the Assign access to dropdown leave it as the default (Azure AD user, group, service principal).

Step 13

In the Select text box, type in the name of the application created earlier (e.g. multicloud defensecontrollerapp) and click Save.

Step 14

In the Subscription page, click on the Overview in the left menu bar and copy the subscription ID to the notepad.