แก้ไข

แชร์ผ่าน


Permission requirement for Service Connector

Service Connector creates connections between Azure services using an on-behalf-of token. Creating a connection to a specific Azure resource requires its corresponding permissions.

App Service

Action Description
Microsoft.Web/sites/config/write Update Web App's configuration settings
Microsoft.web/sites/config/delete Delete Web Apps Config.
Microsoft.Web/sites/config/list/action List Web App's security sensitive settings, such as publishing credentials, app settings and connection strings
Microsoft.Web/sites/config/Read Get Web App configuration settings
Microsoft.Web/sites/write Create a new Web App or update an existing one
Microsoft.Web/sites/read Get the properties of a Web App

Webapp Slot

Action Description
Microsoft.Web/sites/slots/Write Create a new Web App Slot or update an existing one
Microsoft.Web/sites/slots/Read Get the properties of a Web App deployment slot
Microsoft.Web/sites/slots/config/Read Get Web App Slot's configuration settings
Microsoft.Web/sites/slots/config/Write Update Web App Slot's configuration settings
microsoft.web/sites/slots/config/delete Delete Web Apps Slots Config.
Microsoft.Web/sites/slots/config/list/Action List Web App Slot's security sensitive settings, such as publishing credentials, app settings and connection strings

Azure Spring App

Action Description
Microsoft.AppPlatform/Spring/read Get Azure Spring Apps service instance(s)
Microsoft.AppPlatform/Spring/apps/read Get the applications for a specific Azure Spring Apps service instance
Microsoft.AppPlatform/Spring/apps/write Create or update the application for a specific Azure Spring Apps service instance
Microsoft.AppPlatform/Spring/apps/deployments/*/read Get the deployments for a specific application
Microsoft.AppPlatform/Spring/apps/deployments/*/write Create or update the deployment for a specific application
Microsoft.AppPlatform/Spring/apps/deployments/*/delete Delete the deployment for a specific application

Azure Container Apps

Action Description
Microsoft.App/containerApps/read Get a Container App
Microsoft.App/containerApps/write Create or update a Container App
Microsoft.App/containerApps/listsecrets/action List secrets of a container app
Microsoft.App/managedEnvironments/read Get a Managed Environment
Microsoft.App/locations/managedEnvironmentOperationStatuses/read Get a Managed Environment Long Running Operation Status
microsoft.app/locations/containerappoperationstatuses/read Get a Container App Long Running Operation Status
microsoft.app/locations/containerappoperationresults/read Get a Container App Long Running Operation Result
microsoft.app/locations/managedenvironmentoperationresults/read Get a Managed Environment Long Running Operation Result

Dapr in Azure Container Apps

Action Description
Microsoft.App/managedEnvironments/daprComponents/read Read Managed Environment Dapr Component
Microsoft.App/managedEnvironments/daprComponents/write Create or Update Managed Environment Dapr Component
Microsoft.App/managedEnvironments/daprComponents/delete Delete Managed Environment Dapr Component

Azure Cache for Redis

Action Description
Microsoft.Cache/redis/read View the Redis Cache's settings and configuration in the management portal
Microsoft.Cache/redis/firewallRules/read Get the IP firewall rules of a Redis Cache
Microsoft.Cache/redis/firewallRules/write Edit the IP firewall rules of a Redis Cache
Microsoft.Cache/redis/firewallRules/delete Delete IP firewall rules of a Redis Cache
Microsoft.Cache/redis/listKeys/action View the value of Redis Cache access keys in the management portal

Azure Cache for Redis Enterprise

Action Description
Microsoft.Cache/redisEnterprise/read View the Redis Enterprise cache's settings and configuration in the management portal
Microsoft.Cache/redisEnterprise/databases/read View the Redis Enterprise cache database's settings and configuration in the management portal
Microsoft.Cache/redisEnterprise/databases/listKeys/action View the value of Redis Enterprise database access keys in the management portal

Azure Database for PostgreSQL

Azure Database for PostgreSQL

Action Description
Microsoft.DBforPostgreSQL/servers/firewallRules/read Return the list of firewall rules for a server or gets the properties for the specified firewall rule.
Microsoft.DBforPostgreSQL/servers/firewallRules/write Creates a firewall rule with the specified parameters or update an existing rule.
Microsoft.DBforPostgreSQL/servers/firewallRules/delete Deletes an existing firewall rule.
Microsoft.DBForPostgreSQL/servers/read Return the list of servers or gets the properties for the specified server.
Microsoft.DBForPostgreSQL/servers/databases/read Return the list of PostgreSQL Databases or gets the properties for the specified Database.
Microsoft.DBforPostgreSQL/servers/write Creates a server with the specified parameters or update the properties or tags for the specified server.

Azure Database for PostgreSQL (service endpoint)

Action Description
Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/read Return the list of virtual network rules or gets the properties for the specified virtual network rule.
Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/write Creates a virtual network rule with the specified parameters or update the properties or tags for the specified virtual network rule.
Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/delete Deletes an existing Virtual Network Rule

Azure Database for PostgreSQL - Flexible Server

Action Description
Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read Return the list of firewall rules for a server or gets the properties for the specified firewall rule.
Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write Creates a firewall rule with the specified parameters or update an existing rule.
Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/delete Deletes an existing firewall rule.
Microsoft.DBForPostgreSQL/flexibleServers/read Return the list of servers or gets the properties for the specified server.
Microsoft.DBForPostgreSQL/flexibleServers/databases/read Returns the list of PostgreSQL server databases or gets the database for the specified server.
Microsoft.DBforPostgreSQL/flexibleServers/configurations/read Returns the list of PostgreSQL server configurations or gets the configurations for the specified server.

Azure Database for MySQL

Action Description
Microsoft.DBforMySQL/servers/firewallRules/read Return the list of firewall rules for a server or gets the properties for the specified firewall rule.
Microsoft.DBforMySQL/servers/firewallRules/write Creates a firewall rule with the specified parameters or update an existing rule.
Microsoft.DBforMySQL/servers/firewallRules/delete Deletes an existing firewall rule.
Microsoft.DBforMySQL/servers/read Return the list of servers or gets the properties for the specified server.
Microsoft.DBforMySQL/servers/databases/read Return the list of MySQL Databases or gets the properties for the specified Database.
Microsoft.DBforMySQL/servers/write Creates a server with the specified parameters or update the properties or tags for the specified server.

Azure Database for MySQL (service endpoint)

Action Description
Microsoft.DBforMySQL/servers/virtualNetworkRules/read Return the list of virtual network rules or gets the properties for the specified virtual network rule.
Microsoft.DBforMySQL/servers/virtualNetworkRules/write Creates a virtual network rule with the specified parameters or update the properties or tags for the specified virtual network rule.
Microsoft.DBforMySQL/servers/virtualNetworkRules/delete Deletes an existing Virtual Network Rule

Azure Database for MySQL - Flexible Server

Action Description
Microsoft.DBforMySQL/flexibleServers/firewallRules/read Returns the list of firewall rules for a server or gets the properties for the specified firewall rule.
Microsoft.DBforMySQL/flexibleServers/firewallRules/write Creates a firewall rule with the specified parameters or updates an existing rule.
Microsoft.DBforMySQL/flexibleServers/firewallRules/delete Deletes an existing firewall rule.
Microsoft.DBforMySQL/flexibleServers/read Returns the list of servers or gets the properties for the specified server.
Microsoft.DBforMySQL/flexibleServers/databases/read Returns the list of databases for a server or gets the properties for the specified database.
Microsoft.DBforMySQL/flexibleServers/configurations/read Returns the list of MySQL server configurations or gets the configurations for the specified server.

Azure App Configuration

Action Description
Microsoft.AppConfiguration/configurationStores/ListKeys/action Lists the API keys for the specified configuration store.
Microsoft.AppConfiguration/configurationStores/read Gets the properties of the specified configuration store or lists all the configuration stores under the specified resource group or subscription.

Azure Event Hubs

Action Description
Microsoft.EventHub/namespaces/read Get the list of Namespace Resource Description
Microsoft.EventHub/namespaces/ipFilterRules/read Get IP Filter Resource
Microsoft.EventHub/namespaces/ipFilterRules/write Create IP Filter Resource
Microsoft.EventHub/namespaces/ipFilterRules/delete Delete IP Filter Resource
Microsoft.EventHub/namespaces/networkrulesets/read Gets NetworkRuleSet Resource
Microsoft.EventHub/namespaces/networkrulesets/write Create VNET Rule Resource
Microsoft.EventHub/namespaces/authorizationRules/listkeys/action Get the Connection String to the Namespace

Azure Service Bus

Action Description
Microsoft.ServiceBus/namespaces/read Get the list of Namespace Resource Description
Microsoft.ServiceBus/namespaces/ipFilterRules/read Get IP Filter Resource
Microsoft.ServiceBus/namespaces/ipFilterRules/write Create IP Filter Resource
Microsoft.ServiceBus/namespaces/ipFilterRules/delete Delete IP Filter Resource
Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action Get the Connection String to the Namespace
Microsoft.ServiceBus/namespaces/networkrulesets/read Gets NetworkRuleSet Resource
Microsoft.ServiceBus/namespaces/networkrulesets/write Create VNET Rule Resource

Azure Blob Storage

Action Description
Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account.
Microsoft.Storage/storageAccounts/write Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account.
Microsoft.Storage/storageAccounts/listkeys/action Returns the access keys for the specified storage account.

Azure SignalR Service

Action Description
Microsoft.SignalRService/SignalR/read View the SignalR's settings and configurations in the management portal or through API
Microsoft.SignalRService/SignalR/write Modify the SignalR's settings and configurations in the management portal or through API
Microsoft.SignalRService/locations/operationresults/signalr/read Query the result of a location-based asynchronous operation
Microsoft.SignalRService/locations/operationStatuses/signalr/read Query the status of a location-based asynchronous operation
Microsoft.SignalRService/SignalR/operationResults/read
Microsoft.SignalRService/SignalR/operationStatuses/read
Microsoft.SignalRService/SignalR/listkeys/action View the value of SignalR access keys in the management portal or through API

Azure Web PubSub service

Action Description
Microsoft.SignalRService/WebPubSub/read View the WebPubSub's settings and configurations in the management portal or through API
Microsoft.SignalRService/WebPubSub/write Modify the WebPubSub's settings and configurations in the management portal or through API
Microsoft.SignalRService/locations/operationresults/webpubsub/read Query the result of a location-based asynchronous operation
Microsoft.SignalRService/locations/operationStatuses/webpubsub/read Query the status of a location-based asynchronous operation
Microsoft.SignalRService/WebPubSub/operationResults/read
Microsoft.SignalRService/WebPubSub/operationStatuses/read View the value of WebPubSub access keys in the management portal or through API
Microsoft.SignalRService/WebPubSub/listkeys/action View the value of WebPubSub access keys in the management portal or through API

Azure Cosmos DB

Warning

Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.

Action Description
Microsoft.DocumentDB/databaseAccounts/read Reads a database account.
Microsoft.DocumentDB/databaseAccounts/write Update a database accounts.
Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action Get the connection strings for a database account
Microsoft.DocumentDB/databaseAccounts/listKeys/action List keys of a database account

Azure SQL Database

Action Description
Microsoft.Sql/servers/firewallRules/read Return the list of server firewall rules or gets the properties for the specified server firewall rule.
Microsoft.Sql/servers/firewallRules/write Creates a server firewall rule with the specified parameters, update the properties for the specified rule or overwrite all existing rules with new server firewall rule(s).
Microsoft.Sql/servers/firewallRules/delete Deletes an existing server firewall rule.
Microsoft.Sql/servers/databases/read Return the list of databases or gets the properties for the specified database.
Microsoft.Sql/servers/read Return the list of servers or gets the properties for the specified server.
Microsoft.Sql/servers/virtualNetworkRules/read Return the list of virtual network rules or gets the properties for the specified virtual network rule.
Microsoft.Sql/servers/virtualNetworkRules/write Creates a virtual network rule with the specified parameters or update the properties or tags for the specified virtual network rule.
Microsoft.Sql/servers/virtualNetworkRules/delete Deletes an existing Virtual Network Rule

Azure Key Vault

Action Description
Microsoft.KeyVault/vaults/write Creates a new key vault or updates the properties of an existing key vault. Certain properties may require more permissions.
Microsoft.KeyVault/vaults/read View the properties of a key vault
Microsoft.KeyVault/vaults/secrets/write Creates a new secret or updates the value of an existing secret.
Microsoft.KeyVault/vaults/accessPolicies/write Updates an existing access policy by merging or replacing, or adds a new access policy to the key vault.

Azure Cosmos DB

Action Description
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read Read a SQL Role Definition
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write Create or update a SQL Role Definition
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete Delete a SQL Role Assignment

Service Connector may need to grant permissions to Managed Identity or Service Principal if a connection is created with those as authentication types. The following table lists the permission requirements for creating a connection in this scenario.

Action Description
Microsoft.Authorization/roleAssignments/read Get information about a role assignment.
Microsoft.Authorization/roleAssignments/write Create a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/delete Delete a role assignment at the specified scope.

User-assigned managed identities connection

Service Connector may need to grant permissions to User-assigned Managed Identity if a connection is created with it as the authentication type. The following table lists the permission requirements for creating a connection in this scenario.

Action Description
Microsoft.ManagedIdentity/userAssignedIdentities/read Gets an existing user assigned identity
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action RBAC action for assigning an existing user assigned identity to a resource
Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read Get or list Federated Identity Credentials
Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write Add or update a Federated Identity Credential
Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete Delete a Federated Identity Credential

Service Connector may need to grant permissions to your identity if a connection is created with private endpoint or service endpoint as the network solution. The following table lists the permission requirements for creating a connection in this scenario.

Action Description
Microsoft.Network/publicIPAddresses/read Gets a public IP address definition.
Microsoft.Network/virtualNetworks/subnets/read Gets a virtual network subnet definition
Microsoft.Network/virtualNetworks/subnets/write Creates a virtual network subnet or updates an existing virtual network subnet
Microsoft.Network/privateEndpoints/read Gets an private endpoint resource.
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable.
Microsoft.Network/networkSecurityGroups/join/action Joins a network security group. Not Alertable.
Microsoft.Network/serviceEndpointPolicies/join/action Joins a Service Endpoint Policy. Not alertable.
Microsoft.Network/natGateways/join/action Joins a NAT Gateway
Microsoft.Network/networkIntentPolicies/join/action Joins a Network Intent Policy. Not alertable.
Microsoft.Network/networkSecurityGroups/join/action Joins a network security group. Not Alertable.
Microsoft.Network/routeTables/join/action Joins a route table. Not Alertable.