Skip to content

Azure Permissions Required

CertifyClouds requires specific Azure permissions to discover and scan Key Vaults across your subscriptions. This document outlines the minimum required permissions for secure operation.

Quick Summary

Minimum Required Role: Reader at the Subscription scope

What CertifyClouds Can Access:

  • List subscriptions
  • List Key Vaults
  • Read Key Vault configuration (network, policies, RBAC)
  • Read secret/key/certificate metadata (names, expiry dates)

What CertifyClouds CANNOT Access:

  • Secret values
  • Private key material
  • Certificate private keys
  • Modify any resources
  • Delete any resources

Automated Setup

Use the provided setup script to automatically configure Key Vault permissions:

Prerequisites (Grant Reader First)

Before running the setup script, grant Reader role at the subscription level:

# Get your Managed Identity's Principal ID
PRINCIPAL_ID=$(az vm show --resource-group <rg> --name <vm> --query identity.principalId -o tsv)

# Grant Reader on each subscription
az role assignment create \
  --assignee $PRINCIPAL_ID \
  --role "Reader" \
  --scope /subscriptions/<subscription-id>

Run the Setup Script

# 1. Check current permissions (dry run)
./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID

# 2. Apply read permissions for Discovery scanning
./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID --apply

# 3. (Optional) Enable Rotation write permissions (PRO tier)
./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID --apply --pro

# 4. (Optional) Add subnet to Key Vault firewalls
./setup-certifyclouds-access.sh --principal-id $PRINCIPAL_ID --apply --subnet-id /subscriptions/.../subnets/snet-certifyclouds

The script will:

  • Discover all subscriptions the principal has Reader access to
  • Find all Key Vaults across those subscriptions
  • Auto-detect whether each vault uses RBAC or Access Policies
  • Check existing permissions and report any gaps
  • Apply missing permissions when --apply is specified

Authentication Methods

Best for: Azure VMs, Container Instances, AKS, Container Apps

# Enable system-assigned managed identity on your VM
az vm identity assign \
  --resource-group rg-certifyclouds \
  --name vm-certifyclouds

# Get the identity principal ID
IDENTITY_ID=$(az vm show \
  --resource-group rg-certifyclouds \
  --name vm-certifyclouds \
  --query identity.principalId -o tsv)

# Assign Reader role at subscription scope
az role assignment create \
  --assignee $IDENTITY_ID \
  --role Reader \
  --scope /subscriptions/{subscription-id}

Configuration: 

AZURE_USE_MANAGED_IDENTITY=true

Benefits:

  • No credentials to manage or rotate
  • More secure than service principals
  • Automatic credential refresh
  • Audit trail in Azure Activity Log

2. Service Principal

Best for: On-premises deployment, non-Azure environments

# Create service principal
az ad sp create-for-rbac \
  --name sp-certifyclouds \
  --role Reader \
  --scopes /subscriptions/{subscription-id}

Configuration: 

AZURE_CLIENT_ID=12345678-1234-1234-1234-123456789abc
AZURE_CLIENT_SECRET=your-client-secret
AZURE_TENANT_ID=87654321-4321-4321-4321-cba987654321

Security Best Practice

  • Store client secret in Azure Key Vault (not in config files)
  • Rotate client secret every 90 days
  • Use certificate-based auth for production
  • Enable MFA for the service principal

Multi-Subscription Access

To scan multiple Azure subscriptions, grant the Reader role on each subscription:

Per-Subscription Assignment

# Assign to subscription 1
az role assignment create \
  --assignee $IDENTITY_ID \
  --role Reader \
  --scope /subscriptions/11111111-1111-1111-1111-111111111111

# Assign to subscription 2
az role assignment create \
  --assignee $IDENTITY_ID \
  --role Reader \
  --scope /subscriptions/22222222-2222-2222-2222-222222222222

Management Group Assignment (Enterprise)

For organizations with many subscriptions:

# Assign Reader at management group scope
az role assignment create \
  --assignee $IDENTITY_ID \
  --role Reader \
  --scope /providers/Microsoft.Management/managementGroups/{mg-id}

This grants access to all subscriptions under the management group.

Azure RBAC Permissions Detail

Core Permissions (All Tiers)

Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/accessPolicies/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Network/privateEndpoints/read
Microsoft.Network/networkSecurityGroups/read
Microsoft.Authorization/roleAssignments/read
Microsoft.Insights/diagnosticSettings/read

Dependency Discovery (PRO Tier)

Microsoft.Web/sites/read                              # App Services, Function Apps
Microsoft.Web/sites/config/read                       # App settings, connection strings
Microsoft.Logic/workflows/read                        # Logic Apps
Microsoft.Sql/servers/read                            # SQL Servers
Microsoft.App/containerApps/read                      # Container Apps
Microsoft.ApiManagement/service/read                  # API Management
Microsoft.DataFactory/factories/read                  # Data Factory
Microsoft.DataFactory/factories/linkedservices/read   # Data Factory linked services
Microsoft.ContainerService/managedClusters/read       # AKS clusters
Microsoft.ServiceBus/namespaces/read                  # Service Bus
Microsoft.ServiceBus/namespaces/authorizationRules/read  # Service Bus auth rules
Microsoft.EventHub/namespaces/read                    # Event Hubs
Microsoft.EventHub/namespaces/authorizationRules/read # Event Hubs auth rules
Microsoft.Storage/storageAccounts/read                # Storage Accounts

Rotation Feature - Additional Permissions (PRO + ENTERPRISE)

The Rotation feature requires write access to rotate App Registration credentials and update secret values in Key Vaults.

Microsoft Graph API Permissions

Permission Tier Purpose Type
Application.Read.All STARTER Read-only - list App Registrations and their credential metadata for discovery / inventory views Application
Application.ReadWrite.All PRO Read App Registrations and add / remove their secrets + certificates during rotation Application

Grant one of the above according to your tier; Application.ReadWrite.All is a strict superset, so don't assign both. After assigning, grant admin consent in the Azure Portal so the permission takes effect.

Key Vault data-plane write

Rotation needs to write new secret values into target Key Vaults. Use the data-plane RBAC role rather than the control-plane Contributor:

az role assignment create \
  --assignee $IDENTITY_ID \
  --role "Key Vault Secrets Officer" \
  --scope /subscriptions/{subscription-id}

Key Vault Secrets Officer grants set / get / list / delete on secret values inside the vault. Use Key Vault Certificates Officer for certificate rotation and Key Vault Crypto Officer for key operations.

Avoid Key Vault Contributor

The Key Vault Contributor role is a control-plane role that permits deleting vaults, modifying access policies, and changing network rules - far broader than rotation requires. Use the least-privilege data-plane Officer roles above instead. Grant Contributor only if a customer ops policy explicitly requires it.

Permission Verification

Test Azure Login

# For Managed Identity, CertifyClouds auto-detects managed identity
# when deployed to Azure VM, App Service, or Container Apps.
# No manual token retrieval required.

# For Service Principal
az login --service-principal \
  --username $AZURE_CLIENT_ID \
  --password $AZURE_CLIENT_SECRET \
  --tenant $AZURE_TENANT_ID

Test Subscription Access

az account list

Test Key Vault Access

az keyvault list --subscription {subscription-id}

Troubleshooting

"Insufficient permissions to list subscriptions"

Cause: Managed identity doesn't have Reader on subscription.

Fix: 

az role assignment create \
  --assignee $IDENTITY_ID \
  --role Reader \
  --scope /subscriptions/{subscription-id}

"Cannot access Key Vault: {vault-name}"

Cause: Key Vault has firewall enabled and CertifyClouds IP is not whitelisted.

Fix: 

az keyvault network-rule add \
  --name {vault-name} \
  --ip-address {certifyclouds-ip}

"AADSTS700016 - Application not found"

Cause: Service principal client secret expired or invalid.

Fix: 

az ad sp credential reset --name {app-id} --years 1

Security & Privacy

CertifyClouds Does NOT Access Vault Contents

CertifyClouds only reads configuration metadata. It NEVER accesses:

  • Secret values
  • Key material
  • Certificate private keys

Why? The Reader role does not grant Key Vault data plane access. CertifyClouds only uses Azure Resource Manager (ARM) APIs to read resource properties.

Audit Trail

All CertifyClouds API calls are logged in Azure Activity Logs:

# View CertifyClouds activity
az monitor activity-log list \
  --caller $IDENTITY_ID \
  --start-time 2025-11-09T00:00:00Z

Summary Checklist

Before running CertifyClouds scans, ensure:

  • [ ] Managed Identity or Service Principal created
  • [ ] Reader role assigned at subscription scope
  • [ ] Role assignment verified with az role assignment list
  • [ ] CertifyClouds can authenticate (test connection in UI)
  • [ ] Firewall rules configured if Key Vaults have network restrictions
  • [ ] Audit logging enabled to monitor access

Minimum Required: Reader role at /subscriptions/{subscription-id} scope

That's it! CertifyClouds requires no data plane access, no write permissions (except for Rotation), and no privileged roles.

Next: Network Requirements

Permissions get the app authorized; networking gets the app reachable. See Network Requirements for the outbound allowlist (license server, Docker Hub, Graph, Key Vault), the NSG / Azure Firewall snippets, and a diagnostic curl sequence for troubleshooting connectivity.