When using Service Connector to create connections between Azure services, it's essential to ensure that the necessary permissions are granted. This document outlines the permission requirements for various Azure resources to facilitate seamless connection creation.
Service Connector creates connections between Azure services using an on-behalf-of tokens.
Creating connections to Azure resources requires appropriate permissions.
App Service
Action
Description
Microsoft.Web/sites/config/write
Update Web App's configuration settings
Microsoft.web/sites/config/delete
Delete Web Apps Config.
Microsoft.Web/sites/config/list/action
List Web App's security sensitive settings, such as publishing credentials, app settings and connection strings
Microsoft.Web/sites/config/Read
Get Web App configuration settings
Microsoft.Web/sites/write
Create a new Web App or update an existing one
Microsoft.Web/sites/read
Get the properties of a Web App
Webapp Slot
Action
Description
Microsoft.Web/sites/slots/Write
Create a new Web App Slot or update an existing one
Microsoft.Web/sites/slots/Read
Get the properties of a Web App deployment slot
Microsoft.Web/sites/slots/config/Read
Get Web App Slot's configuration settings
Microsoft.Web/sites/slots/config/Write
Update Web App Slot's configuration settings
microsoft.web/sites/slots/config/delete
Delete Web Apps Slots Config.
Microsoft.Web/sites/slots/config/list/Action
List Web App Slot's security sensitive settings, such as publishing credentials, app settings and connection strings
Azure Spring App
Action
Description
Microsoft.AppPlatform/Spring/read
Get Azure Spring Apps service instance(s)
Microsoft.AppPlatform/Spring/apps/read
Get the applications for a specific Azure Spring Apps service instance
Microsoft.AppPlatform/Spring/apps/write
Create or update the application for a specific Azure Spring Apps service instance
View the value of WebPubSub access keys in the management portal or through API
Azure Cosmos DB
Warning
Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
Return the list of server firewall rules or gets the properties for the specified server firewall rule.
Microsoft.Sql/servers/firewallRules/write
Creates a server firewall rule with the specified parameters, update the properties for the specified rule or overwrite all existing rules with new server firewall rule(s).
Microsoft.Sql/servers/firewallRules/delete
Deletes an existing server firewall rule.
Microsoft.Sql/servers/databases/read
Return the list of databases or gets the properties for the specified database.
Microsoft.Sql/servers/read
Return the list of servers or gets the properties for the specified server.
Microsoft.Sql/servers/virtualNetworkRules/read
Return the list of virtual network rules or gets the properties for the specified virtual network rule.
Microsoft.Sql/servers/virtualNetworkRules/write
Creates a virtual network rule with the specified parameters or update the properties or tags for the specified virtual network rule.
Microsoft.Sql/servers/virtualNetworkRules/delete
Deletes an existing Virtual Network Rule
Azure Key Vault
Action
Description
Microsoft.KeyVault/vaults/write
Creates a new key vault or updates the properties of an existing key vault. Certain properties may require more permissions.
Microsoft.KeyVault/vaults/read
View the properties of a key vault
Microsoft.KeyVault/vaults/secrets/write
Creates a new secret or updates the value of an existing secret.
Microsoft.KeyVault/vaults/accessPolicies/write
Updates an existing access policy by merging or replacing, or adds a new access policy to the key vault.
Managed Identity/Service principal related connection
Service Connector may need to grant permissions to Managed Identity or Service Principal if a connection is created with those as authentication types. The following table lists the permission requirements for creating a connection in this scenario.
Action
Description
Microsoft.Authorization/roleAssignments/read
Get information about a role assignment.
Microsoft.Authorization/roleAssignments/write
Create a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/delete
Delete a role assignment at the specified scope.
User-assigned managed identities connection
Service Connector may need to grant permissions to User-assigned Managed Identity if a connection is created with it as the authentication type. The following table lists the permission requirements for creating a connection in this scenario.
Private Endpoint/service endpoint related permission
Service Connector may need to grant permissions to your identity if a connection is created with private endpoint or service endpoint as the network solution. The following table lists the permission requirements for creating a connection in this scenario.
Action
Description
Microsoft.Network/publicIPAddresses/read
Gets a public IP address definition.
Microsoft.Network/virtualNetworks/subnets/read
Gets a virtual network subnet definition
Microsoft.Network/virtualNetworks/subnets/write
Creates a virtual network subnet or updates an existing virtual network subnet