Idea ID: 1675970

Reduction of high Azure 'Role' prerequisites to use Azure MP by service providers

Status : Declined
over 2 years ago


to discover and monitor Azure resources a Service Principal is needed and the related AAD application must have a Contributor role for the monitored subscription.

The customers hardly accept to give such permissions to monitoring service providers.

I would expect that for monitoring services the predefined Azure Roles 'Monitoring Reader' or 'Monitoring Contributor' are sufficient. That's easier to sell to the customers security responsible.

If for other monitoring services (e.g to access Azure Storage Account content to monitor special log files) additional permissions  are needed that should be separated by dedicated Aspect assignments.

Karsten Edel
T-Systems International GmbH


  • Hi,

    I can not imagine that this is not of customer interest especially service providers with many customers. For us as a service provider it is very important to protect our customers data.

    With the new MP Azure prerequisites 'Storage Account Key Operator Service Role'  you can get still access to the complete storage content of the customer. This risk we cannot accept and cannot use the MP in that way.

    To discover storage resources 'Monitoring Reader' role is enought. Other tools are able to show the storage CIs and topology with 'Monitoring Reader' permissions (e.g. Azure Storage Explorer).  

    Karsten Edel
    T-Systems International GmbH

  • Moving this Idea to “Declined” status as it has been open for > 1 year and has not gathered broad customer interest and/or there are no plans to implement.

  • I agree to some extent.  Part of that privledge level is likely to facilitate full discovery of the environment.   If you can only read the monitors, you have to know what monitors you want to read, which means a lot of entry of subscriptions, tenant credentials and then services and monitors.  Not a bad thing the first time you have to do it, although in a big environment it is very time consuming.  What does make it bad, is that everytime you update the MP version, you have to do it all again for all of your customers.  That's not a good thing.