Permissions for Onboarding Azure
This section describes the set of permissions that you grant to the Illumio Cloud App that is registered in Azure Active Directory.
These permissions are required, irrespective of whether you use the default method provided by the wizard or the guided method.
If you are onboarding using the default method described in Onboard an Azure Cloud Tenant - Default Setup and Onboard an Azure Cloud Subscription - Default Setup, it automatically provisions the permissions described here.
If you are onboarding using the guided method, which does not involve running the PowerShell script provided in the wizard, or if you lack Owner access, described in Onboard an Azure Cloud Tenant - Guided Setup) and Onboard an Azure Cloud Subscription - Guided Setup, you need to set these permissions via the Azure Console.
Permission Type | Permission Name | Description |
|---|---|---|
Read | Reader - role | This role gives Illumio Cloud the permissions to read data or resources from your subscription. According to Microsoft, the role is defined as follows: "View all resources, but does not allow you to make any changes." |
NSG, Azure Firewall | Multiple, see below. | Use these permissions to create custom roles. Define any custom roles with elevated permissions, as part of the PowerShell script that is run when you onboard an Azure subscription. If the user onboarding Azure has Owner permissions, these permissions are automatically assigned to the "Illumio Network Security Administrator" custom role that is created when the onboarding PowerShell script is run. However, if the user onboarding Azure does not have Owner permissions, you must create the"Illumio Network Security Administrator" custom rule with these NSG and Azure Firewall permissions before the onboarding PowerShell script is run. |
Flow | Storage Blob Data Reader – role |
NSG Permissions
"Microsoft.Network/networkSecurityGroups/read" "Microsoft.Network/networkSecurityGroups/write" "Microsoft.Network/networkSecurityGroups/delete" "Microsoft.Network/networkSecurityGroups/join/action" "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read" "Microsoft.Network/networkSecurityGroups/securityRules/write" "Microsoft.Network/networkSecurityGroups/securityRules/delete" "Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/read" "Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/write" "Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/logDefinitions/read" "Microsoft.Network/networkWatchers/securityGroupView/action"
Azure Firewall Permissions
$actions = "Microsoft.Network/azurefirewalls/read",
"Microsoft.Network/azurefirewalls/learnedIPPrefixes/action",
"Microsoft.Network/azureFirewalls/applicationRuleCollections/write",
"Microsoft.Network/azureFirewalls/applicationRuleCollections/delete",
"Microsoft.Network/azureFirewalls/applicationRuleCollections/read",
"Microsoft.Network/azurefirewalls/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.Network/azureFirewalls/natRuleCollections/write",
"Microsoft.Network/azureFirewalls/natRuleCollections/read",
"Microsoft.Network/azureFirewalls/natRuleCollections/delete",
"Microsoft.Network/azureFirewalls/networkRuleCollections/read",
"Microsoft.Network/azureFirewalls/networkRuleCollections/write",
"Microsoft.Network/azureFirewalls/networkRuleCollections/delete",
"Microsoft.Network/azureFirewallFqdnTags/read",
"Microsoft.Network/azurefirewalls/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/firewallPolicies/read",
"Microsoft.Network/firewallPolicies/write",
"Microsoft.Network/firewallPolicies/join/action",
"Microsoft.Network/firewallPolicies/certificates/action",
"Microsoft.Network/firewallPolicies/delete",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/read",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/write",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/delete",
"Microsoft.Network/firewallPolicies/ruleGroups/read",
"Microsoft.Network/firewallPolicies/ruleGroups/write",
"Microsoft.Network/firewallPolicies/ruleGroups/delete",
"Microsoft.Network/ipGroups/read",
"Microsoft.Network/ipGroups/write",
"Microsoft.Network/ipGroups/validate/action",
"Microsoft.Network/ipGroups/updateReferences/action",
"Microsoft.Network/ipGroups/join/action",
"Microsoft.Network/ipGroups/delete"Flow Log Support
Illumio Cloud supports NSG Flow logs version 2 (includes flow state and byte counts), but does not support version 1. It also supports VNet flow logs and Azure Firewall flow logs.
See Set up Flow Logs.