Access permissions for Microsoft Azure desired state templates in VMware Tanzu Guardrails

As a Cloud Services Operations administrator, to use the desired state templates in Tanzu Guardrails for governing the compliance policies in your Microsoft Azure infrastructure, you must understand the access permissions required.

To access and run the desired state templates for Microsoft Azure, you must have the following permissions.

  • Access to a valid subscription.
  • Tenant ID
  • Client ID
  • Secret token that you used to create an Azure account profile.

By using the desired state templates, you can bootstrap Azure, assign built-in roles and custom roles to users, and more.

Required policy for Microsoft Azure use cases

Write permissions for Required policy

Write permissions

{
    "properties": {
        "roleName": "Azure Write Privileges",
        "description": "Azure Write Privileges",
        "assignableScopes": [
            "<ASSIGNEE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleDefinitions/read",
                    "Microsoft.Authorization/roleDefinitions/write",
                    "Microsoft.management/managementgroups/subscriptions/write",
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Management/register/action",
                    "Microsoft.Management/checkNameAvailability/action",
                    "Microsoft.Management/managementGroups/descendants/read",
                    "Microsoft.Management/managementGroups/settings/read",
                    "Microsoft.Management/managementGroups/settings/write",
                    "Microsoft.Subscription/rename/action",
                    "Microsoft.Management/managementGroups/read",
                    "Microsoft.Management/managementGroups/write",
                    "Microsoft.Management/managementGroups/subscriptions/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/write",
                    "Microsoft.Resources/tags/read",
                    "Microsoft.Resources/tags/write",
                    "Microsoft.Authorization/policyDefinitions/write",
                    "Microsoft.Authorization/classicAdministrators/read",
                    "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
                    "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
                    "Microsoft.EventGrid/locations/eventSubscriptions/read",
                    "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Authorization/policyAssignments/read",
                    "Microsoft.Authorization/policyAssignments/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Read-only permissions for dry run and testing

Read-only permissions

{
    "properties": {
        "roleName": "Azure Read Only Privileges",
        "description": "Azure Read Only Privileges",
        "assignableScopes": [
            "<ASSIGNEE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.management/managementgroups/subscriptions/read",
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.management/managementgroups/read",
                    "Microsoft.Resources/tags/read",
                    "Microsoft.Authorization/classicAdministrators/read",
                    "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
                    "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
                    "Microsoft.EventGrid/locations/eventSubscriptions/read",
                    "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Authorization/policyAssignments/read",
                    "Microsoft.Authorization/roleDefinitions/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Access privilege matrix for minimum permissions of Azure use cases

desired state template reference Minimum read-only privileges Minimum write privileges
Create or verify Azure Management Group

{
    "properties": {
        "roleName": "Management Group Read Only Privileges",
        "description": "Management Group Read Only Privileges",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Management/managementGroups/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

{
    "properties": {
        "roleName": "Management Group Write Privileges",
        "description": "Management Group Write Privileges",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Management/managementGroups/read",
                    "Microsoft.Management/managementGroups/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Attach Azure Subscription to Management Group

{
    "properties": {
        "roleName": "Subscription Read Only Privileges",
        "description": "Subscription Read Only Privileges",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/classicAdministrators/read",
                "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
                    "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
                    "Microsoft.EventGrid/locations/eventSubscriptions/read",
                    "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
                    "Microsoft.Resources/subscriptions/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

{
    "properties": {
        "roleName": "Subscription Write Privileges",
        "description": "Subscription Write Privileges",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.management/managementgroups/subscriptions/read",
                    "Microsoft.management/managementgroups/subscriptions/write",
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Management/register/action",
                    "Microsoft.management/managementgroups/read",
                    "Microsoft.management/managementgroups/write",
                    "Microsoft.Management/checkNameAvailability/action",
                    "Microsoft.Management/managementGroups/descendants/read",
                    "Microsoft.Management/managementGroups/settings/read",
                    "Microsoft.Management/managementGroups/settings/write",
                    "Microsoft.Subscription/rename/action"

                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Create or verify Azure Resource Group

{
    "properties": {
        "roleName": "Resource Group Read Only Permissions",
        "description": "Resource Group Read Only Permissions",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/tags/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

{
    "properties": {
        "roleName": "Resource Group Write Permissions",
        "description": "Resource Group Write Permissions",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
            "Microsoft.Resources/subscriptions/resourceGroups/write",
                "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/tags/read",
                    "Microsoft.Resources/tags/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Create or verify Azure Policy Assignment

{
    "properties": {
        "roleName": "Policy Assignment Read Only Permission",
        "description": "Policy Assignment Read Only Permission",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                "Microsoft.Authorization/classicAdministrators/read",
"Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
            "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
            "Microsoft.EventGrid/locations/eventSubscriptions/read",
    "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Authorization/policyAssignments/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

{
    "properties": {
        "roleName": "Policy Assignment Write Permission",
        "description": "Policy Assignment Write Permission",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                "Microsoft.Authorization/classicAdministrators/read",     
                    "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
            "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
            "Microsoft.EventGrid/locations/eventSubscriptions/read",           
            "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Authorization/policyAssignments/read",
                    "Microsoft.Authorization/policyAssignments/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Create or verify Azure Role Definitions

{
    "properties": {
        "roleName": "Role Definitions Read Only Privileges",
        "description": "Role Definitions Read Only Privileges",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleDefinitions/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

{
    "properties": {
        "roleName": "Role Definitions Write Privileges",
        "description": "Management Group Write Privileges",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleDefinitions/read",
                    "Microsoft.Authorization/roleDefinitions/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Create or verify Azure Role Assignment

{
    "properties": {
        "roleName": "Role Assignment Group Read Only Privileges",
        "description": "Role Assignment Read Only Privileges",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleAssignments/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

{
    "properties": {
        "roleName": "Role Assignment Write Privileges",
        "description": "Role Assignment Write Privileges",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Authorization/roleAssignments/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Create or verify Azure policy assignments of Azure built-in policy definition of storage category

{
    "properties": {
        "roleName": "Policy Assignment Read Only Permission",
        "description": "Policy Assignment Read Only Permission",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                "Microsoft.Authorization/classicAdministrators/read",
                    "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
            "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
                "Microsoft.EventGrid/locations/eventSubscriptions/read",
                "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
                "Microsoft.Resources/subscriptions/resourceGroups/read",
                "Microsoft.Authorization/policyAssignments/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

{
    "properties": {
        "roleName": "Policy Assignment Write Permission",
        "description": "Policy Assignment Write Permission",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                "Microsoft.Authorization/classicAdministrators/read",
                    "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
            "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
            "Microsoft.EventGrid/locations/eventSubscriptions/read",             
            "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Authorization/policyAssignments/read",
                    "Microsoft.Authorization/policyAssignments/write"

                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Create or verify Azure policy assignments of Azure built-in policy definition of General category

{
    "properties": {
        "roleName": "Policy Assignment Read Only Permission",
        "description": "Policy Assignment Read Only Permission",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                "Microsoft.Authorization/classicAdministrators/read",
                    "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
            "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
            "Microsoft.EventGrid/locations/eventSubscriptions/read",
            "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
                "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Authorization/policyAssignments/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

{
    "properties": {
        "roleName": "Policy Assignment Write Permission",
        "description": "Policy Assignment Write Permission",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                "Microsoft.Authorization/classicAdministrators/read",
                    "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
            "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
            "Microsoft.EventGrid/locations/eventSubscriptions/read",
            "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Authorization/policyAssignments/read",
                    "Microsoft.Authorization/policyAssignments/write"

                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Create or verify Azure policy assignments of Azure built-in policy definition of security category

{
    "properties": {
        "roleName": "Policy Assignment Read Only Permission",
        "description": "Policy Assignment Read Only Permission",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                "Microsoft.Authorization/classicAdministrators/read",
                    "Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                    "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
            "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
            "Microsoft.EventGrid/locations/eventSubscriptions/read",
            "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
                "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Authorization/policyAssignments/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

{
    "properties": {
        "roleName": "Policy Assignment Write Permission",
        "description": "Policy Assignment Write Permission",
        "assignableScopes": [
            "<ASSIGNABLE_SCOPES>"
        ],
        "permissions": [
            {
                "actions": [
                "Microsoft.Authorization/classicAdministrators/read",
"Microsoft.Authorization/classicAdministrators/operationstatuses/read",
                    "Microsoft.Authorization/operations/read",
                    "Microsoft.Authorization/permissions/read",
                    "Microsoft.Authorization/policyDefinitions/read",
                "Microsoft.Authorization/policySetDefinitions/read",
                    "Microsoft.Authorization/providerOperations/read",
                    "Microsoft.EventGrid/eventSubscriptions/read",
            "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
            "Microsoft.EventGrid/locations/eventSubscriptions/read",
    "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Authorization/policyAssignments/read",
                    "Microsoft.Authorization/policyAssignments/write"

                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

More information

For more information about the desired state templates, refer to:

Parent topic:Accessing permissions needed on public cloud to run desired state templates in VMware Tanzu Guardrails

check-circle-line exclamation-circle-line close-line
Scroll to top icon