Once you create an AD application registration, Carbon Black recommends granting only read permissions when accessing Azure resources.

For details, see Understand Azure role assignments.

To assign the Reader role to the registered app, follow this specific to Carbon Black Cloud procedure. For detailed instructions on role assignment, see Assign Azure roles using the Azure portal.

Prerequisites

  • Verify that you are entitled with write permissions (Microsoft.Authorization/roleAssignments/write) by being assigned the User Access Administrator role or the Owner role.
  • Define the scope of resources to which access can apply to. For details, see the following documentation.

Procedure

  1. From the Azure portal, navigate to Home > Subscriptions and click the name of your registered application.
  2. On the Access control (IAM) page, select Add > Add role assignment.
    If you do not have permission to assign a role, you see (disabled) next to this option.
    The Add role assignment window displays.
  3. Under the Role tab, search for the Reader built-in role, select it and click Next.
  4. Under the Members tab, select the option for assigning access to User, group, or service principal, select one or more members, and enter a description for the role assignment.
  5. Click Next.
  6. Under the Review + assign tab, to confirm the assignment, click Review + assign.

Results

Shortly, the registered application is assigned the Reader role at the selected scope. You can view it under the list of existing assignments.