Skip to main content

Getting Started with Illumio Insights

Permissions for Azure

Azure permission descriptions

Permission Type	Permission Name	Notes
Read	Reader - role	This role gives the permissions to read data or resources from your subscription or tenant. This role allows the viewing of all resources, but does not allow modification.
Write	Writer - role	This role gives the permissions to modify data or resources in your subscription or tenant. This role allows the modification of resources.
NSG, Azure Firewall	Multiple, see below.	Use these permissions to create custom roles. Define any custom roles with elevated permissions, as part of the PowerShell script that is run when you onboard an Azure subscription. If the user onboarding Azure has Owner permissions, these permissions are automatically assigned to the "Illumio Network Security Administrator" custom role that is created when the onboarding PowerShell script is run. However, if the user onboarding Azure does not have Owner permissions, you must create the"Illumio Network Security Administrator" custom role with these NSG and Azure Firewall permissions before the onboarding PowerShell script is run.
Flow	Storage Blob Data Reader – role

Azure read and write policy

When you grant read and write permissions to , the following roles are created in the Azure tenant.

Reader Role - Built In Role
{
  "assignableScopes": [
    "/"
  ],
  "description": "View all resources, but does not allow you to make any changes.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}
Illumio Network Security Administrator Role - Custom Role
{
    "properties": {
        "roleName": "Illumio Network Security Administrator",
        "description": "Illumio Network Administration Role",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                	"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action",
                	"Microsoft.Network/networkSecurityGroups/read",
                	"Microsoft.Network/networkSecurityGroups/write",
                	"Microsoft.Network/networkSecurityGroups/delete",
                	"Microsoft.Network/networkSecurityGroups/join/action",
                	"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
                	"Microsoft.Network/networkSecurityGroups/securityRules/write",
                	"Microsoft.Network/networkSecurityGroups/securityRules/delete",
               		"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/read",
                	"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/write",
                	"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/logDefinitions/read",
                	"Microsoft.Network/networkWatchers/securityGroupView/action",
                	"Microsoft.Network/networkSecurityGroups/*",
                	"Microsoft.Network/networkInterfaces/read",
                	"Microsoft.Network/networkInterfaces/write",
                	"Microsoft.Network/virtualNetworks/read",
                	"Microsoft.Network/virtualNetworks/subnets/write",
                	"Microsoft.Network/virtualNetworks/subnets/read",
                	"Microsoft.Authorization/locks/*",
                	"Microsoft.Compute/virtualMachines/read",
                	"Microsoft.Network/virtualNetworks/subnets/join/action",
                	"Microsoft.Network/publicIPAddresses/read",
                	"Microsoft.Network/publicIPAddresses/join/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
} 
Illumio Firewall Administrator Role - Custom Role
{
    "properties": {
        "roleName": "Illumio Firewall Administrator",
        "description": "Illumio Firewall Administrator role",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Network/azurefirewalls/read",
                    "Microsoft.Network/azurefirewalls/learnedIPPrefixes/action",
                    "Microsoft.Network/azureFirewalls/applicationRuleCollections/write",
                    "Microsoft.Network/azureFirewalls/applicationRuleCollections/delete",
                    "Microsoft.Network/azureFirewalls/applicationRuleCollections/read",
                    "Microsoft.Network/azurefirewalls/providers/Microsoft.Insights/logDefinitions/read",
                    "Microsoft.Network/azureFirewalls/natRuleCollections/write",
                    "Microsoft.Network/azureFirewalls/natRuleCollections/read",
                    "Microsoft.Network/azureFirewalls/natRuleCollections/delete",
                    "Microsoft.Network/azureFirewalls/networkRuleCollections/read",
                    "Microsoft.Network/azureFirewalls/networkRuleCollections/write",
                    "Microsoft.Network/azureFirewalls/networkRuleCollections/delete",
                    "Microsoft.Network/azureFirewallFqdnTags/read",
                    "Microsoft.Network/azurefirewalls/providers/Microsoft.Insights/metricDefinitions/read",
                    "Microsoft.Network/firewallPolicies/read",
                    "Microsoft.Network/firewallPolicies/write",
                    "Microsoft.Network/firewallPolicies/join/action",
                    "Microsoft.Network/firewallPolicies/certificates/action",
                    "Microsoft.Network/firewallPolicies/delete",
                    "Microsoft.Network/firewallPolicies/ruleCollectionGroups/read",
                    "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write",
                    "Microsoft.Network/firewallPolicies/ruleCollectionGroups/delete",
                    "Microsoft.Network/firewallPolicies/ruleGroups/read",
                    "Microsoft.Network/firewallPolicies/ruleGroups/write",
                    "Microsoft.Network/firewallPolicies/ruleGroups/delete",
                    "Microsoft.Network/ipGroups/read",
                    "Microsoft.Network/ipGroups/write",
                    "Microsoft.Network/ipGroups/validate/action",
                    "Microsoft.Network/ipGroups/updateReferences/action",
                    "Microsoft.Network/ipGroups/join/action",
                    "Microsoft.Network/ipGroups/delete"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Azure flow log support

supports NSG Flow logs version 2 (includes flow state and byte counts), but does not support version 1. It also supports VNet flow logs and Azure Firewall flow logs.

See Set up flow logs in your CSP environment.

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.