to discover and monitor Azure resources a Service Principal is needed and the related AAD application must have a Contributor role for the monitored subscription.
The customers hardly accept to give such permissions to monitoring service providers.
I would expect that for monitoring services the predefined Azure Roles 'Monitoring Reader' or 'Monitoring Contributor' are sufficient. That's easier to sell to the customers security responsible.
If for other monitoring services (e.g to access Azure Storage Account content to monitor special log files) additional permissions are needed that should be separated by dedicated Aspect assignments.
T-Systems International GmbH