Permissions Required for Onboarding Azure

Note: For Azure, a custom role has to be created and assigned to the service principal.
Important: In the following sample permissions, the value for subscriptions is a placeholder. You are required to replace it with your actual subscription ID.

Permissions for Key Vault

Certificates
{
  "properties": {
    "roleName": "AppViewX_KeyVault_Role",
    "description": "",
    "assignableScopes": [
      "/subscriptions/000-000-000-0000-000"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.KeyVault/vaults/read"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.KeyVault/vaults/certificates/import/action",
          "Microsoft.KeyVault/vaults/certificates/create/action",
          "Microsoft.KeyVault/vaults/certificates/update/action",
          "Microsoft.KeyVault/vaults/certificates/read"
        ],
        "notDataActions": []
      }
    ]
  }
}
Secrets
{
  "properties": {
    "roleName": "AppViewX_KeyVault_Secret_Role",
    "description": "",
    "assignableScopes": [
      "/subscriptions/000-000-000-0000-000"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.KeyVault/vaults/secrets/read"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.KeyVault/vaults/secrets/setSecret/action",
          "Microsoft.KeyVault/vaults/secrets/getSecret/action",
          "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
        ],
        "notDataActions": []
      }
    ]
  }
}

Permissions for Application Gateway

Important: Use the permission Microsoft.ManagedIdentity/userAssignedIdentities/assign/action only if the application gateway has to be integrated with the key vault.
{
    "properties": {
        "roleName": "AppViewX_AppGW_Permission",
        "description": "",
        "assignableScopes": [
            "/subscriptions/000-000-000-0000-000"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Network/applicationGateways/write",
                    "Microsoft.Network/applicationGateways/read",
                    "Microsoft.Network/applicationGatewayAvailableSslOptions/predefinedPolicies/read",
                    "Microsoft.Network/applicationGatewayAvailableSslOptions/read",
                    "Microsoft.Network/virtualNetworks/subnets/join/action",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
 }

Permissions for Virtual Machine

{
  "properties": {
    "roleName": "AppViewX_VirtualMachine_Role",
    "description": "",
    "assignableScopes": [
      "/subscriptions/000-000-000-0000-000"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Compute/virtualMachines/read",
          "Microsoft.Network/networkInterfaces/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

Permissions for App Service

Important: Use the permission Microsoft.ManagedIdentity/userAssignedIdentities/assign/action only the application gateway needs integration with the key vault.
{
    "properties": {
        "roleName": "AppViewX_App_Service_Permission",
        "description": "",
        "assignableScopes": [
            "/subscriptions/000-000-000-0000-000"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Web/sites/Read",
          	    "Microsoft.Web/sites/Write",
          	    "microsoft.web/sites/publiccertificates/read",
                    "microsoft.web/sites/publiccertificates/write",
                    "Microsoft.Web/sites/restart/Action",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
 }

Permissions for Enterprise Application

The user should have access to the following Graph APIs:
  • Application.Read.All
  • Application.ReadWrite.All

Permissions for API Management

Important: Use the permission Microsoft.ManagedIdentity/userAssignedIdentities/assign/action only the application gateway needs integration with the key vault.
{
    "properties": {
        "roleName": "AppViewX_APIMngmnt_Permission",
        "description": "",
        "assignableScopes": [
            "/subscriptions/000-000-000-0000-000"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.ApiManagement/service/certificates/read",
                    "Microsoft.ApiManagement/service/certificates/write",
                    "Microsoft.ApiManagement/service/certificates/delete",
                    "Microsoft.ApiManagement/service/certificates/refreshSecret/action"
                    "Microsoft.ApiManagement/service/read",
                    Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
 }

Permissions for App Registration

The user should have access to the following Graph APIs:
  • Application.Read.All
  • Application.ReadWrite.All

Permissions for FrontDoor

{
    "properties": {
        "roleName": "AppViewX_FrontDoor_Permission",
        "description": "",
        "assignableScopes": [
            "/subscriptions/000-000-000-0000-000"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/subscriptions/resources/read",
                    "Microsoft.Cdn/profiles/customDomains/read",
                    "Microsoft.Cdn/profiles/secrets/read",
                    "Microsoft.Cdn/profiles/customDomains/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
 }