Permissions for Onboarding Azure
This section describes the set of permissions that you grant to the Illumio Cloud App that is registered in Azure Active Directory.
These permissions are required, irrespective of whether you use the default method provided by the wizard or the guided method.
If you are onboarding using the default method described in Onboard an Azure Cloud tenant - default setup and Onboard an Azure Cloud subscription - default setup, it automatically provisions the permissions described here.
If you are onboarding using the guided method, which does not involve running the PowerShell script provided in the wizard, or if you lack Owner access, described in Onboard an Azure Cloud Tenant - Guided Setup) and Onboard an Azure Cloud Subscription - Guided Setup, you need to set these permissions via the Azure Console.
Permission Type | Permission Name | Notes |
|---|---|---|
Read | Reader - role | This role gives Illumio Cloud the permissions to read data or resources from your subscription or tenant. This role allows the viewing of all resources, but does not allow modification. |
Write | Writer - role | This role gives Illumio Cloud the permissions to modify data or resources in your subscription or tenant. This role allows the modification of resources. |
NSG, Azure Firewall | Multiple, see below. | Use these permissions to create custom roles. Define any custom roles with elevated permissions, as part of the PowerShell script that is run when you onboard an Azure subscription. If the user onboarding Azure has Owner permissions, these permissions are automatically assigned to the "Illumio Network Security Administrator" custom role that is created when the onboarding PowerShell script is run. However, if the user onboarding Azure does not have Owner permissions, you must create the"Illumio Network Security Administrator" custom role with these NSG and Azure Firewall permissions before the onboarding PowerShell script is run. |
Flow | Storage Blob Data Reader – role |
Read and Write Policy
When you grant read and write permissions to Illumio Cloud, the following roles are created in the Azure tenant.
Reader Role - Built In Role
{
"assignableScopes": [
"/"
],
"description": "View all resources, but does not allow you to make any changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Illumio Network Security Administrator Role - Custom Role
{
"properties": {
"roleName": "Illumio Network Security Administrator",
"description": "Illumio Network Administration Role",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.Network/networkWatchers/securityGroupView/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Illumio Firewall Administrator Role - Custom Role
{
"properties": {
"roleName": "Illumio Firewall Administrator",
"description": "Illumio Firewall Administrator role",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Network/azurefirewalls/read",
"Microsoft.Network/azurefirewalls/learnedIPPrefixes/action",
"Microsoft.Network/azureFirewalls/applicationRuleCollections/write",
"Microsoft.Network/azureFirewalls/applicationRuleCollections/delete",
"Microsoft.Network/azureFirewalls/applicationRuleCollections/read",
"Microsoft.Network/azurefirewalls/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.Network/azureFirewalls/natRuleCollections/write",
"Microsoft.Network/azureFirewalls/natRuleCollections/read",
"Microsoft.Network/azureFirewalls/natRuleCollections/delete",
"Microsoft.Network/azureFirewalls/networkRuleCollections/read",
"Microsoft.Network/azureFirewalls/networkRuleCollections/write",
"Microsoft.Network/azureFirewalls/networkRuleCollections/delete",
"Microsoft.Network/azureFirewallFqdnTags/read",
"Microsoft.Network/azurefirewalls/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/firewallPolicies/read",
"Microsoft.Network/firewallPolicies/write",
"Microsoft.Network/firewallPolicies/join/action",
"Microsoft.Network/firewallPolicies/certificates/action",
"Microsoft.Network/firewallPolicies/delete",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/read",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/write",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/delete",
"Microsoft.Network/firewallPolicies/ruleGroups/read",
"Microsoft.Network/firewallPolicies/ruleGroups/write",
"Microsoft.Network/firewallPolicies/ruleGroups/delete",
"Microsoft.Network/ipGroups/read",
"Microsoft.Network/ipGroups/write",
"Microsoft.Network/ipGroups/validate/action",
"Microsoft.Network/ipGroups/updateReferences/action",
"Microsoft.Network/ipGroups/join/action",
"Microsoft.Network/ipGroups/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}Flow Log Support
Illumio Cloud supports NSG Flow logs version 2 (includes flow state and byte counts), but does not support version 1. It also supports VNet flow logs and Azure Firewall flow logs.