List of Microsoft Azure provider permissions for Cortex Cloud.
When onboarding Microsoft Azure, Cortex Cloud requests only the permissions needed for the security capabilities you enable, following the principle of least privilege. The required permissions depend on your onboarding scope (tenant, management group, or subscription) and your selected security capabilities. Permissions fall into three categories:
Required at all scopes: the Discovery Engine capability, which provides the asset visibility that all other Cortex Cloud capabilities depend on and cannot be deselected. It requires the Microsoft Graph
Application.Read.Allpermission, which is used as follows:Tenant scope: during onboarding to create the Cortex service principal, and post-onboarding for ongoing asset discovery.
Management group and subscription scopes: during onboarding only, to create the Cortex service principal.
Required at tenant or management group scope only: the Base capability, which grants the remediation role and cross-subscription managed identities. It is not requested at subscription scope.
Conditional on selected capabilities: requested only when the corresponding capability is enabled. Capabilities can be added or removed later, and the requested permissions adjust accordingly.
The following reference tables are organized by security module, role, and then the list of the CSP permissions being requested as well as their purpose:
Base (and Discovery) permissions represent the foundational, mandatory role assignments required to successfully onboard your Azure environment to Cortex.
cortex-mi-role-{suffix}This custom Azure RBAC role contains the permissions needed to deploy Cortex per-subscription deployment artifacts. These artifacts include resource groups, custom roles and role assignments, policy definitions and assignments, Azure Resource Manager (ARM) deployments, and Azure Compute Galleries used by the ADS capability.
Created when | Management Group or Tenant scope only |
Assigned to | Customer-owned Onboarding User-Assigned Managed Identity (UAMI) cortex-mi-{suffix}. Not assigned to the Cortex Service Principal. |
Assignment scope | Management Group (Tenant Root Management Group for Tenant onboarding). |
Used by | Azure Policy's deployIfNotExists control plane. Used to deploy Cortex resources into each subscription under the scope. Cortex itself cannot authenticate as the UAMI. |
cortex-mi-role-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Authorization/policyAssignments/delete | Delete Azure Policy assignments used for Cortex onboarding. Cortex uses this permission to clean up policy-based deployment assignments during onboarding lifecycle management. |
Microsoft.Authorization/policyAssignments/read | Read the configuration of Microsoft Defender for Cloud policy assignments. Cortex uses this to assess the current compliance posture and identify policy gaps that may require automated remediation. This read-only access supports security monitoring without modifying any policy configurations. |
Microsoft.Authorization/policyAssignments/write | Apply Microsoft Defender for Cloud policy assignments to enable security configurations monitoring. Cortex uses this to remediate issues detected by the "Azure Microsoft Defender for Cloud security configurations monitoring is set to disabled" rule. This automated remediation ensures that security monitoring remains active across the environment. |
Microsoft.Authorization/policyDefinitions/delete | Delete Azure Policy definitions used for Cortex onboarding. Cortex uses this permission to remove onboarding policy definitions during lifecycle management. |
Microsoft.Authorization/policyDefinitions/read | Read policy definitions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Authorization/policyDefinitions/write | Create or update Azure Policy definitions for Cortex onboarding. Cortex uses this permission to define policies that automate onboarding resource deployment across subscriptions. |
Microsoft.Authorization/roleAssignments/delete | Delete role assignments created during Cortex onboarding. Cortex uses this permission to clean up role assignments during onboarding lifecycle management. |
Microsoft.Authorization/roleAssignments/read | Read role assignments. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Authorization/roleAssignments/write | Create role assignments for Cortex onboarding. Cortex uses this permission to assign required roles to service principals during automated onboarding deployment. |
Microsoft.Authorization/roleDefinitions/delete | Delete custom role definitions created during Cortex onboarding. Cortex uses this permission to clean up custom roles during onboarding lifecycle management. |
Microsoft.Authorization/roleDefinitions/read | Read role definitions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Authorization/roleDefinitions/write | Create or update custom role definitions for Cortex onboarding. Cortex uses this permission to define custom roles with least-privilege permissions during onboarding deployment. |
Microsoft.Compute/galleries/delete | Delete compute gallery resources used for agentless disk scanning. Cortex uses this permission to clean up temporary gallery resources after completing vulnerability scans. |
Microsoft.Compute/galleries/read | Read galleries. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/galleries/write | Create or update compute gallery resources for agentless disk scanning. Cortex uses this permission to set up temporary galleries required for disk snapshot analysis during vulnerability scanning. |
Microsoft.resources/deployments/cancel/action | Cancel an in-progress Azure Resource Manager deployment. Cortex uses this permission to manage onboarding deployments and cancel operations that encounter issues. |
Microsoft.resources/deployments/operations/read | Retrieve deployment operation details for Azure Resource Manager deployments. Cortex uses this permission to monitor onboarding deployment progress and troubleshoot provisioning. |
Microsoft.resources/deployments/operationStatuses/read | Retrieve deployment operation status for Azure Resource Manager deployments. Cortex uses this permission to track onboarding deployment status and verify successful provisioning. |
Microsoft.resources/deployments/read | Retrieve Azure Resource Manager deployment details. Cortex uses this permission to monitor onboarding deployments and verify resource provisioning. |
Microsoft.resources/deployments/validate/action | Validate an Azure Resource Manager deployment template before execution. Cortex uses this permission to pre-validate onboarding templates and prevent deployment failures. |
Microsoft.resources/deployments/write | Create or update Azure Resource Manager deployments for Cortex onboarding. Cortex uses this permission to deploy onboarding resources such as role definitions and role assignments. |
Microsoft.resources/subscriptions/read | Read the status and details of Azure subscriptions. Cortex uses this to understand the Azure environment structure and enumerate available subscriptions for automation workflows. Required for command: azure-nsg-subscriptions-list. |
Microsoft.resources/subscriptions/resourceGroups/moveResources/action | Move resources between resource groups during Cortex onboarding. Cortex uses this permission to organize onboarding resources into appropriate resource groups. |
Microsoft.resources/subscriptions/resourceGroups/read | Read the status and details of resource groups within a subscription. Cortex uses this to inventory Azure resources and understand the organizational structure of the environment. Required for command: azure-nsg-resource-group-list. |
Microsoft.resources/subscriptions/resourceGroups/resources/read | List resources within a resource group. Cortex uses this permission to discover all resources in a resource group for comprehensive asset inventory. |
Microsoft.resources/subscriptions/resourceGroups/validateMoveResources/action | Validate resource move operations between resource groups. Cortex uses this permission to pre-validate resource moves and prevent deployment failures during onboarding. |
Microsoft.resources/subscriptions/resourceGroups/write | Write resource groups. Cortex uses this for resource management as part of discovery and security assessment workflows. |
cortex-policy-{suffix}This custom Azure RBAC role has the minimal permissions needed for the Cortex Service Principal to trigger Azure Policy remediation tasks. The service principal cannot modify the policy definition or the embedded Azure Resource Manager (ARM) template; it can only request that Azure Policy re-evaluate compliance and run the existing remediation.
Created when | Management Group or Tenant scope only. |
Assigned to | Cortex Service Principal. |
Assignment scope | Management Group (Tenant Root Management Group for Tenant onboarding). |
Used by | Cortex to trigger periodic Azure Policy remediation, which in turn causes the Onboarding UAMI to deploy Cortex resources into any newly-discovered subscription. |
cortex-policy-{suffix}: permissions
Permission | Description |
|---|---|
Microsoft.PolicyInsights/remediations/read | Retrieve Azure Policy remediation task details. Cortex uses this permission to monitor policy remediation status during onboarding deployments. |
Microsoft.PolicyInsights/remediations/write | Create or update Azure Policy remediation tasks for Cortex onboarding. Cortex uses this permission to trigger policy-based remediation that deploys onboarding resources to subscriptions. |
While not a traditional Azure RBAC custom role, this category represents a single Microsoft Graph application permission assigned directly to the Cortex service principal in your Entra ID tenant. This access is scoped strictly to your Microsoft Entra ID (formerly Azure AD) tenant environment. This permission is read-only and is not utilized for any post-onboarding scanning or operational workflows across Subscription and Management Group onboarding scopes.
Permission | Description |
|---|---|
Application.Read.All | This permission is assigned only for the creation of the Cortex service principal during onboarding and is not used post-onboarding. The permission is assigned for all onboarding scopes. |
The Discovery Engine permissions (and Base permissions) form the core of Cortex's visibility and asset inventory capabilities. These permissions provide the foundational access necessary for continuous asset discovery and Cloud Security Posture Management (CSPM) scanning across your cloud estate.
cortex-actions-{suffix}Custom Azure RBAC role with the read-like posture-assessment actions Cortex needs in addition to plain reads. Read-only.
Created when | All onboarding scopes. |
Assigned to | Cortex Service Principal. |
Assignment scope | Matches the onboarded scope. |
Used by | Cortex asset discovery to read metadata across the Azure resource types Cortex scans. |
cortex-actions-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Advisor/configurations/read | Read Advisor configuration. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.AlertsManagement/prometheusRuleGroups/read | Read Prometheus rule groups. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.AlertsManagement/smartDetectorAlertRules/read | Read smart detector alert rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.AnalysisServices/servers/read | Read Analysis Services servers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ApiManagement/service/apis/diagnostics/read | Read diagnostics info of APIs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ApiManagement/service/apis/policies/read | Read policies on APIs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ApiManagement/service/apis/read | Read API details. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ApiManagement/service/identityProviders/read | Read API Management identity providers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ApiManagement/service/portalSettings/read | Read developer portal settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ApiManagement/service/products/policies/read | Read policies on API products. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ApiManagement/service/products/read | Read API products. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ApiManagement/service/read | Read API Management service info. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ApiManagement/service/tenant/read | Read tenant info in API Management. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.AppConfiguration/configurationStores/read | Read Azure App Configuration stores. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.App/containerApps/read | Read App container apps. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.AppPlatform/spring/apps/read | Read Spring apps in Azure App Platform. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.AppPlatform/spring/read | Read Azure App Platform Spring resource info. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.Attestation/attestationProviders/read | Read attestation providers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Authorization/locks/read | Read resource locks. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Authorization/permissions/read | Read permissions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Authorization/policyAssignments/read | Read the configuration of Microsoft Defender for Cloud policy assignments. Cortex uses this to assess the current compliance posture and identify policy gaps in the customer's Azure environment. This read-only access supports security monitoring without modifying any policy configurations. |
Microsoft.Authorization/policyDefinitions/read | Read policy definitions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Authorization/roleAssignments/read | Read role assignments. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Authorization/roleDefinitions/read | Read role definitions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Automanage/configurationProfiles/read | Read Automanage configuration profiles. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.Automation/automationAccounts/credentials/read | Retrieve Automation hybrid runbook worker configurations. Cortex uses this permission to inventory hybrid automation workers and assess their security posture. |
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read | Read hybrid runbook worker groups. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Automation/automationAccounts/read | Read automation accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Automation/automationAccounts/runbooks/read | Read runbooks. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Automation/automationAccounts/variables/read | Read variables in automation accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.AzureStackHCI/clusters/read | Read Azure Stack HCI clusters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Batch/batchAccounts/pools/read | Read batch account pools. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Batch/batchAccounts/read | Read batch accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Blueprint/blueprints/read | Read blueprints. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.BotService/botServices/read | Read bot services. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cache/redisEnterprise/read | Read Redis Enterprise caches. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cache/redis/firewallRules/read | Read firewall rules on Redis cache. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cache/redis/read | Read Redis caches. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cdn/profiles/afdEndpoints/read | Read CDN profile AFD endpoints. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cdn/profiles/afdEndpoints/routes/read | Read routes of CDN profile AFD endpoints. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cdn/profiles/customDomains/read | Read custom domains in CDN profiles. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cdn/profiles/endpoints/customDomains/read | Read custom domains of CDN endpoints. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cdn/profiles/endpoints/read | Read CDN profile endpoints. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cdn/profiles/originGroups/read | Read origin groups in CDN profiles. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cdn/profiles/read | Read CDN profiles. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Cdn/profiles/securityPolicies/read | Read CDN profile security policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Chaos/experiments/read | Read Chaos experiments. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.CognitiveServices/accounts/deployments/read | Read deployments in Cognitive Services accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.CognitiveServices/accounts/models/read | Read models in Cognitive Services accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.CognitiveServices/accounts/raiPolicies/read | Read RAI policies in Cognitive Services accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.CognitiveServices/accounts/read | Read Cognitive Services accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.CognitiveServices/models/read | Read Cognitive Services models. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Communication/communicationServices/read | Read Communication Services. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/availabilitySets/read | Read availability sets. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/cloudServices/read | Read cloud services. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/cloudServices/roleInstances/read | Read cloud service role instances. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/diskEncryptionSets/read | Read disk encryption sets. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/disks/read | Retrieve disk metadata. This is used to identify disk properties and states, such as detecting dangling disks. It ensures accurate inventory and assessment of storage resources within the environment. |
Microsoft.Compute/galleries/images/read | Read gallery images in order to create disks for image scanning. Cortex uses this to inventory VM images and identify those requiring security assessment and vulnerability scanning as part of agentless disk scanning operations. |
Microsoft.Compute/galleries/read | Read galleries. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/hostGroups/read | Read host groups. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/snapshots/read | Read snapshot metadata across the tenant to manage ADS scan snapshot lifecycle |
Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read | Read network interfaces of VM scale sets. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses/read | Read public IP addresses of VM scale sets. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/virtualMachineScaleSets/read | Read virtual machine scale sets. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read | Read public IPs of VM scale set VM NICs IP configurations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read | Read public IPs of VM scale set VM NICs IP configurations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | Read virtual machines in VM scale sets. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/virtualMachines/extensions/read | Read VM extensions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/virtualMachines/instanceView/read | Read VM instance view. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Compute/virtualMachines/read | Enable reading VM configurations. Cortex uses this to inventory virtual machines and identify those requiring security scanning. |
Microsoft.Confluent/organizations/read | Read Confluent organizations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.ContainerInstance/containerGroups/read | Read container groups. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ContainerRegistry/registries/metadata/read | Read container registry metadata. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ContainerRegistry/registries/pull/read | Read/pull from container registries. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ContainerRegistry/registries/read | Read the configuration and properties of Azure Container Registry (ACR) instances. Cortex uses this to assess container registry security settings such as export configurations as part of CSPM posture evaluation. This read-only access does not modify any registry resources. |
Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action | Get webhook callback configurations. Cortex uses this to evaluate container registry webhook security configuration for security assessment and operational visibility across the Azure environment. Note that the callback config may include authentication tokens or secret URLs. |
Microsoft.ContainerService/managedClusters/read | Read managed Kubernetes clusters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Dashboard/grafana/read | Read Grafana dashboards. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DataBoxEdge/dataBoxEdgeDevices/read | Read DataBox Edge devices. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Databricks/accessConnectors/read | Read Databricks access connectors. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Databricks/workspaces/read | Read Databricks workspaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Datadog/monitors/read | Read Datadog monitors. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.DataFactory/dataFactories/read | Read Data Factory data factories. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DataFactory/factories/integrationRuntimes/read | Read Data Factory integration runtimes. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DataFactory/factories/linkedServices/read | Read Data Factory linked services. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DataFactory/factories/read | Read Data Factories. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/read | Read Data Lake Store accounts linked to Data Lake Analytics accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DataLakeAnalytics/accounts/firewallRules/read | Read Data Lake Analytics firewall rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DataLakeAnalytics/accounts/read | Read Data Lake Analytics accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DataLakeAnalytics/accounts/storageAccounts/read | Read Data Lake Analytics storage accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DataLakeStore/accounts/firewallRules/read | Read Data Lake Store firewall rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.DataLakeStore/accounts/read | Read Data Lake Store accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.DataLakeStore/accounts/trustedIdProviders/read | Read Data Lake Store trusted ID providers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.DataLakeStore/accounts/virtualNetworkRules/read | Read Data Lake Store virtual network rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.DataMigration/services/read | Read Data Migration services. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DataShare/accounts/read | Read Data Share accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforMariaDB/servers/firewallRules/read | Read MariaDB server firewall rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforMariaDB/servers/read | Read MariaDB servers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforMySQL/flexibleServers/configurations/read | Read the configuration settings of Azure MySQL flexible servers. Cortex uses this to assess database security settings such as SSL enforcement configurations as part of CSPM posture evaluation. This read-only access does not modify any database configurations. |
Microsoft.DBforMySQL/flexibleServers/databases/read | Read MySQL flexible server databases. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforMySQL/flexibleServers/firewallRules/read | Read MySQL flexible server firewall rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforMySQL/flexibleServers/read | Read MySQL flexible servers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforMySQL/servers/firewallRules/read | Read MySQL server firewall rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforMySQL/servers/read | Read MySQL servers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforMySQL/servers/virtualNetworkRules/read | Read MySQL server virtual network rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforPostgreSQL/flexibleServers/configurations/read | Read PostgreSQL flexible server configurations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforPostgreSQL/flexibleServers/databases/read | Read PostgreSQL flexible server databases. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read | Read PostgreSQL flexible server firewall rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforPostgreSQL/flexibleServers/read | Read PostgreSQL flexible servers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforPostgreSQL/servers/configurations/read | Read the configuration settings of Azure PostgreSQL servers. Cortex uses this to assess database security settings such as connection throttling parameters as part of CSPM posture evaluation. This read-only access does not modify any database configurations. |
Microsoft.DBforPostgreSQL/servers/firewallRules/read | Read PostgreSQL server firewall rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DBforPostgreSQL/servers/read | Read the configuration and properties of Azure PostgreSQL servers. Cortex uses this to inventory databases and assess their security configurations such as SSL connection settings as part of CSPM posture evaluation. This read-only access does not modify any server resources. |
Microsoft.DBforPostgreSQL/serversv2/firewallRules/read | Read PostgreSQL servers v2 firewall rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DesktopVirtualization/applicationGroups/read | Read Desktop Virtualization application groups. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DesktopVirtualization/hostPools/read | Read Desktop Virtualization host pools. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DesktopVirtualization/hostPools/sessionHostConfigurations/read | Read Desktop Virtualization host pool session host configurations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DesktopVirtualization/hostPools/sessionHosts/read | Read session hosts within Desktop Virtualization host pools. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DesktopVirtualization/workspaces/providers/Microsoft.Insights/diagnosticSettings/read | Read Desktop Virtualization workspace diagnostic settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DesktopVirtualization/workspaces/read | Read Desktop Virtualization workspaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DevCenter/devcenters/read | Read DevCenter devcenters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.Devices/IotHubs/privateLinkResources/read | Read IoT Hubs private link resources. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Devices/IotHubs/read | Read IoT Hubs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DevTestLab/schedules/read | Read DevTestLab schedules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.DigitalTwins/digitalTwinsInstances/read | Read Digital Twins instances. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.DocumentDB/cassandraClusters/read | Read DocumentDB Cassandra clusters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.DocumentDB/databaseAccounts/read | Read the configuration and properties of Azure Cosmos DB database accounts. Cortex uses this to assess NoSQL database security settings such as key-based authentication configurations as part of CSPM posture evaluation. This read-only access does not modify any database resources. |
Microsoft.DomainRegistration/domains/read | Read Domain registrations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.Easm/workspaces/read | Read Easm workspaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.Elastic/monitors/read | Read Elastic monitors. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.EventGrid/domains/privateLinkResources/read | Read Event Grid domains private link resources. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventGrid/domains/read | Read Event Grid domains. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventGrid/namespaces/read | Read Event Grid namespaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventGrid/partnerNamespaces/read | Read Event Grid partner namespaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventGrid/topics/privateLinkResources/read | Read Event Grid topics private link resources. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventGrid/topics/read | Read Event Grid topics. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventHub/clusters/read | Read EventHub clusters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventHub/namespaces/authorizationRules/read | Read EventHub namespaces authorization rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read | Read EventHub event hub authorization rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventHub/namespaces/eventhubs/read | Read EventHub event hubs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventHub/namespaces/ipFilterRules/read | Read EventHub IP filter rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventHub/namespaces/privateEndpointConnections/read | Read EventHub Namespace private endpoint connections. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventHub/namespaces/read | Read EventHub namespaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.EventHub/namespaces/virtualNetworkRules/read | Read EventHub virtual network rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.HDInsight/clusters/applications/read | Read HDInsight cluster applications. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.HDInsight/clusters/read | Read HDInsight clusters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.HealthBot/healthBots/read | Read HealthBot bots. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.HealthcareApis/workspaces/read | Read Healthcare APIs workspaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.HybridCompute/machines/read | Read Hybrid Compute machines. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Insights/actionGroups/read | Read Insights action groups. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Insights/activityLogAlerts/read | Read Insights activity log alerts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Insights/components/read | Read Insights components. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Insights/dataCollectionEndpoints/read | Read Insights data collection endpoints. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Insights/dataCollectionRules/read | Read Insights data collection rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Insights/diagnosticSettings/read | Read Insights diagnostic settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Insights/eventtypes/values/read | Read Insights event type values. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Insights/logProfiles/read | Read the configuration of Azure Activity Log profiles. Cortex uses this to assess audit logging coverage and verify that activity log retention periods meet security requirements. This read-only access does not modify any log profile configurations. |
Microsoft.Insights/metricAlerts/read | Read Insights metric alerts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.IoTCentral/iotApps/read | Retrieve IoT Central application configurations. Cortex uses this permission to inventory IoT applications and assess their security posture. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.KeyVault/vaults/keys/read | Read Key Vault keys. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.KeyVault/vaults/privateLinkResources/read | Read Key Vault private link resources. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.KeyVault/vaults/read | Read the configuration and properties of Azure Key Vaults. Cortex uses this to assess key management security settings such as recoverability configurations (soft-delete, purge-protection) as part of CSPM posture evaluation. This read-only access does not modify any Key Vault resources. |
Microsoft.Kusto/clusters/databases/read | Read Kusto cluster databases. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Kusto/clusters/read | Read Kusto clusters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.LabServices/labs/read | Read Lab Services labs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.LoadTestService/loadTests/read | Read Load Test Service tests. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Logic/integrationAccounts/read | Read Logic integration accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Logic/workflows/read | Read Logic workflows. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Logic/workflows/versions/read | Read Logic workflow versions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.MachineLearningServices/workspaces/computes/read | Read Machine Learning Services workspace computes. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.MachineLearningServices/workspaces/outboundRules/read | Read Machine Learning Services workspace outbound rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.MachineLearningServices/workspaces/read | Read Machine Learning Services workspaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ManagedIdentity/userAssignedIdentities/read | Read Managed Identity user assigned identities. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ManagedServices/marketplaceRegistrationDefinitions/read | Read Managed Services marketplace registration definitions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ManagedServices/registrationAssignments/read | Read Managed Services registration assignments. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Management/managementGroups/descendants/read | Read Management Groups descendants. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Management/managementGroups/read | Read Management Groups. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Management/managementGroups/subscriptions/read | Read Management Groups subscriptions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Maps/accounts/read | Read Maps accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Migrate/moveCollections/read | Read Migrate move collections. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Monitor/accounts/read | Read Monitor accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.NetApp/netAppAccounts/capacityPools/read | Read NetApp capacity pools. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read | Read NetApp capacity pool volumes. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.NetApp/netAppAccounts/read | Read NetApp accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/applicationGateways/read | Read Application Gateways. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read | Read Application Gateway Web Application Firewall Policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/applicationSecurityGroups/read | Read Application Security Groups. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/azureFirewalls/read | Read Azure Firewalls. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/bastionHosts/read | Read Bastion Hosts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/connections/read | Read Network Connections. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/ddosProtectionPlans/read | Read DDoS Protection Plans. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/dnsZones/read | Read DNS Zones. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRouteCircuits/authorizations/read | Read ExpressRoute Circuit authorizations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRouteCircuits/peerings/connections/read | Read ExpressRoute Circuit peerings connections. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRouteCircuits/peerings/peerConnections/read | Read ExpressRoute Circuit peer connections. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRouteCircuits/peerings/read | Read ExpressRoute Circuit peerings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRouteCircuits/read | Read ExpressRoute Circuits. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRouteCrossConnections/peerings/read | Read ExpressRoute Cross Connections peerings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRouteCrossConnections/read | Read ExpressRoute Cross Connections. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRouteGateways/expressRouteConnections/read | Read ExpressRoute Gateways connections. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRouteGateways/read | Read ExpressRoute Gateways. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRoutePorts/authorizations/read | Read ExpressRoute Ports authorizations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRoutePorts/links/read | Read ExpressRoute Ports links. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRoutePortsLocations/read | Read ExpressRoute Ports locations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/expressRoutePorts/read | Read ExpressRoute Ports. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/firewallPolicies/read | Read Firewall Policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/frontdoors/backendPools/read | Read Front Door backend pools. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/frontdoors/frontendEndpoints/read | Read Front Door frontend endpoints. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/frontdoors/healthProbeSettings/read | Read Front Door health probe settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/frontdoors/loadBalancingSettings/read | Read Front Door load balancing settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/frontdoors/read | Read front doors. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/frontdoors/routingRules/read | Read Front Door routing rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/frontdoors/rulesEngines/read | Read Front Door rules engines. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/read | Read Front Door Web Application Firewall Policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.NetworkFunction/azureTrafficCollectors/read | Read Azure Traffic Collectors. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.Network/loadBalancers/read | Read Load Balancers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/localNetworkGateways/read | Read Local Network Gateways. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/locations/usages/read | Read Network locations usage. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/natGateways/read | Read NAT Gateways. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action | View and/or execute effective network security groups action. Cortex uses this for security assessment and operational visibility across the Azure environment. |
Microsoft.Network/networkInterfaces/effectiveRouteTable/action | Execute effective route table on NICs action. Cortex uses this for security assessment and operational visibility across the Azure environment. |
Microsoft.Network/networkInterfaces/read | Read the list of Network Security Group (NSG) interfaces and their configurations. Cortex uses this to assess network security settings and identify resources associated with specific NSGs as part of automation workflows. Required for command: azure-nsg-network-interfaces-list. |
Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | Read Network Security Groups default security rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/networkSecurityGroups/read | Read the list and configurations of Network Security Groups (NSGs). Cortex uses this to assess network security posture and identify NSGs that may require remediation. Required for command: azure-nsg-security-groups-list. |
Microsoft.Network/networkSecurityGroups/securityRules/read | Read the configuration of Network Security Group (NSG) rules to assess traffic permissions. Cortex uses this to evaluate whether NSG rules are overly permissive and to determine if remediation is needed. Required for command: azure-nsg-security-rule-get. |
Microsoft.Network/networkWatchers/read | Read network watcher settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/networkWatchers/securityGroupView/action | View and/or execute effective security group view action. Cortex uses this for security assessment and operational visibility across the Azure environment. |
Microsoft.Network/p2sVpnGateways/read | Read P2S VPN Gateways. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/privateDnsZones/all/read | Read Private DNS Zones ALL. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/privateDnsZones/read | Read Private DNS Zones. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read | Read Private Endpoints DNS Zone Groups. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/privateEndpoints/read | Read Private Endpoints. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/privateLinkServices/read | Read Private Link Services. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/publicIPAddresses/read | Read and lists Network Security Group (NSG) and VM public IP addresses and their details. Cortex uses this to identify externally exposed resources and assess their security posture as part of automation workflows. Required for commands: azure-nsg-public-ip-addresses-list and azure-vm-public-ip-details-get. |
Microsoft.Network/publicIPPrefixes/read | Read Public IP Prefixes. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/routeFilters/read | Read Route Filters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/routeFilters/routeFilterRules/read | Read Route Filter Rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/routeTables/read | Read Route Tables. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/routeTables/routes/read | Read Route Table Routes. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/serviceEndpointPolicies/read | Read Service Endpoint Policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions/read | Read Service Endpoint Policy Definitions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/trafficManagerProfiles/read | Read Traffic Manager Profiles. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/virtualNetworkGateways/connections/read | Read Virtual network gateways connections. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/virtualNetworkGateways/read | Read Virtual Network Gateways. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/virtualNetworks/read | Read Virtual Networks. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/virtualNetworks/subnets/read | Read Virtual Network Subnets. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | Read Virtual Network peerings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/virtualWans/read | Read Virtual WANs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Network/vpnServerConfigurations/read | Read VPN Server Configurations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.notificationHubs/namespaces/notificationHubs/read | Read Notification Hubs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.notificationHubs/namespaces/read | Read Notification Hub namespaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.OperationalInsights/clusters/read | Read Operational Insights clusters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.OperationalInsights/queryPacks/read | Read Operational Insights query packs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.OperationalInsights/workspaces/read | Read Operational Insights workspaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.OperationalInsights/workspaces/tables/read | Read Operational Insights workspace tables. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.PowerBIDedicated/servers/read | Read Power BI Dedicated servers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Quantum/workspaces/read | Read Quantum Workspaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.RecoveryServices/vaults/backupPolicies/read | Read Recovery Services Vault backup policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.RecoveryServices/vaults/backupProtectedItems/read | Read Recovery Services Vault backup protected items. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.RecoveryServices/vaults/read | Read Recovery Services Vaults. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.RedHatOpenShift/openshiftClusters/read | Read Red Hat OpenShift clusters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Relay/namespaces/read | Read Relay namespaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.resources/resources/read | Read generic resources. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.resources/subscriptions/providers/read | Read subscription providers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.resources/subscriptions/read | Read the status and details of Azure subscriptions. Cortex uses this to understand the Azure environment structure and enumerate available subscriptions for automation workflows. Required for command: azure-nsg-subscriptions-list. |
Microsoft.resources/subscriptions/resourceGroups/read | Read the status and details of resource groups within a subscription. Cortex uses this to inventory Azure resources and understand the organizational structure of the environment. Required for command: azure-nsg-resource-group-list. |
Microsoft.resources/templateSpecs/read | Read template specs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.SaaS/applications/read | Read SaaS applications. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.Search/searchServices/read | Read Azure AI Search service properties to discover search services for DSPM scanning |
Microsoft.Security/advancedThreatProtectionSettings/read | Read Security advanced threat protection settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Security/automations/read | Read Security automations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Security/iotSecuritySolutions/read | Read IoT Security Solutions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Security/locations/jitNetworkAccessPolicies/read | Read Just-in-Time network access policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Security/locations/read | Read Security locations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Security/pricings/read | Read Security pricings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Security/secureScores/read | Read Security secure scores. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Security/securityContacts/read | Read Microsoft Defender for Cloud security contact configurations (email addresses, notification preferences). Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Security/settings/read | Read Security settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Security/workspaceSettings/read | Read Security workspace settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ServiceBus/namespaces/authorizationRules/read | Read Service Bus namespace authorization rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ServiceBus/namespaces/networkRuleSets/read | Read Service Bus namespace network rule sets. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ServiceBus/namespaces/privateEndpointConnections/read | Read Service Bus namespace diagnostic settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ServiceBus/namespaces/providers/Microsoft.Insights/diagnosticSettings/read | Read Service Bus namespace diagnostic settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ServiceBus/namespaces/queues/read | Read Service Bus queues. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ServiceBus/namespaces/read | Read Service Bus namespaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ServiceBus/namespaces/topics/read | Read Service Bus topics. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ServiceBus/namespaces/topics/subscriptions/read | Read Service Bus topic subscriptions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ServiceFabric/clusters/read | Read Service Fabric clusters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.SignalRService/signalr/read | Read SignalR Service SignalR. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.SignalRService/webPubSub/read | Read SignalR Web PubSub. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Solutions/applications/read | Read Solutions applications. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/managedInstances/databases/read | Read SQL managed instances databases. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/managedInstances/databases/transparentDataEncryption/read | Read SQL managed instances databases Transparent Data Encryption. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/managedInstances/encryptionProtector/read | Read SQL managed instances encryption protector. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/managedInstances/read | Read SQL managed instances. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/managedInstances/vulnerabilityAssessments/read | Read SQL managed instances vulnerability assessments. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/administrators/read | Read SQL server administrators. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/auditingSettings/read | Read SQL server auditing settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/databases/auditingSettings/read | Read SQL server databases auditing settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/databases/dataMaskingPolicies/read | Read SQL server databases data masking policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/databases/dataMaskingPolicies/rules/read | Read SQL server databases data masking policies rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/databases/read | Read SQL server databases. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/databases/securityAlertPolicies/read | Read the security alert policy configuration for Azure SQL Databases. Cortex uses this to assess database threat detection configurations and determine whether email notifications for Threat Detection are properly enabled. This read-only access does not modify any security alert policies. |
Microsoft.Sql/servers/databases/transparentDataEncryption/read | Read the Transparent Data Encryption (TDE) status for Azure SQL databases. Cortex uses this to assess database encryption posture and determine whether TDE is properly enabled. This read-only access does not modify any encryption settings. |
Microsoft.Sql/servers/encryptionProtector/read | Read SQL server encryption protector. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/firewallRules/read | Read SQL server firewall rules. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/read | Read SQL servers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/securityAlertPolicies/read | Read SQL server security alert policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/vulnerabilityAssessments/read | Read SQL server vulnerability assessments. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.SqlVirtualMachine/sqlVirtualMachines/read | Read SQL Virtual Machines. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.StorageCache/caches/read | Read Storage Cache caches. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.StorageCache/subscription/caches/read | Read Storage Cache subscription caches. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.StorageMover/storageMovers/read | Read Storage Mover storage movers. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Storage/storageAccounts/blobServices/read | Read the configuration of Azure Storage account blob services. Cortex uses this to assess storage security posture, including soft delete settings, as part of CSPM posture evaluation. This read-only access does not modify any blob service configurations. |
Microsoft.Storage/storageAccounts/fileServices/read | Read Storage file services. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Storage/storageAccounts/fileServices/shares/read | Read file share metadata to discover and inventory file share data stores for DSPM scanning |
Microsoft.Storage/storageAccounts/listKeys/action | List Storage account keys (action). Cortex uses this for security assessment and operational visibility across the Azure environment and it ingests key metadata for CSPM policy evaluation (key rotation, key-based access status), returning storage account access keys. While the keys do grant full read/write access to the storage account data, and transit through the Cortex Cloud scanning infrastructure, Cortex evaluates key metadata in-memory and does not persist or use the keys for data-plane access. |
Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read | Read Storage account diagnostic settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Storage/storageAccounts/queueServices/read | Read Storage queue services. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Storage/storageAccounts/read | Read storage account properties to discover and inventory data stores for DSPM scanning |
Microsoft.Storage/storageAccounts/tableServices/read | Read Storage table services. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.StorageSync/storageSyncServices/privateLinkResources/read | Read Storage Sync private link resources. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.StorageSync/storageSyncServices/read | Read Storage Sync services. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.StreamAnalytics/clusters/read | Read Stream Analytics clusters. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.StreamAnalytics/streamingJobs/read | Read Stream Analytics streaming jobs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.subscription/policies/default/read | Read Subscription default policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Synapse/privateLinkHubs/privateLinkResources/read | Read Synapse private link hubs private link resources. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Synapse/privateLinkHubs/read | Read Synapse private link hubs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Synapse/workspaces/privateLinkResources/read | Read Synapse workspace private link resources. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Synapse/workspaces/read | Read Synapse workspaces. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Synapse/workspaces/sparkConfigurations/read | Read Synapse workspaces spark configurations. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Synapse/workspaces/sqlPools/geoBackupPolicies/read | Read Synapse workspaces SQL pools geo backup policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Synapse/workspaces/sqlPools/read | Read Synapse workspaces SQL pools. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.VideoIndexer/accounts/read | Read Video Indexer accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.VisualStudio/account/read | Read Visual Studio accounts. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
Microsoft.Web/certificates/read | Read Web certificates. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Web/customApis/read | Read Web custom APIs. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Web/hostingEnvironments/read | Read Web hosting environments. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Web/serverFarms/read | Read Web server farms. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Web/serverFarms/sites/read | Read Server farms sites. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Web/sites/basicPublishingCredentialsPolicies/read | Read Web sites basic publishing credentials policies. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Web/sites/config/appsettings/read | Read Web sites app settings. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Web/sites/config/list/action | Execute action to list Web site configuration. This permission evaluates TLS, HTTPS enforcement, and whether connection strings contain hardcoded secrets for security assessment and operational visibility across the Azure environment. The permission returns App Service config including connection strings. While connection strings may contain database credentials, Cortex assesses the connection strings for compliance and does not connect to the referenced databases. |
Microsoft.Web/sites/config/read | Read the configuration settings of Azure App Service Web apps. Cortex uses this to assess web application security settings such as HTTP version and HTTPS enforcement as part of CSPM posture evaluation. This read-only access does not modify any App Service configurations. |
Microsoft.Web/sites/functions/read | Read Web sites functions. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Web/sites/privateEndpointConnections/read | Read Web sites private endpoint connections. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Web/sites/read | Read the status and properties of Azure App Service Web apps. Cortex uses this to inventory web applications and assess their security configurations such as HTTPS enforcement as part of CSPM posture evaluation. This read-only access does not modify any App Service resources. |
Microsoft.Web/sites/slots/read | Read Web sites slots. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Web/staticSites/read | Read Web static sites. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Workloads/monitors/read | Read Workloads monitors. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
cortex-reader-{suffix}This custom Azure RBAC role grants read-only access to Azure resource metadata via the */read action. No resource is ever created, modified, or deleted.
Created when | All onboarding scopes. |
Assigned to | Cortex Service Principal. |
Assignment scope | Matches the onboarded scope. |
Used by | Cortex asset discovery to read metadata across the Azure resource types Cortex scans. |
cortex-reader-{suffix} permissions:
Permission | Description |
|---|---|
*/read | Provide read-only access to get metadata of all managed data assets. Cortex uses this broad read permission to inventory and assess the security posture of all Azure resources without making any modifications. |
Cortex cloud infrastructure entitlement management (CIEM) and Entra ID posture assessment use these permissions to read the customer's Entra ID directory, such as users, groups, service principals, role assignments, and conditional access policies, to map who has access to the tenant and how that access is configured. This identity-plane data lives in Entra ID and is reachable only through Microsoft Graph. These permissions are only assigned on Tenant onboarding scope or Entra-only onboarding scope.
Permission | Description |
|---|---|
Application.Read.All | Read application registrations, service principals, and their app-role assignments from Microsoft Entra ID. Cortex uses this permission to obtain the application-identity surface that discovery and CIEM need to build the identity graph. |
AuditLog.Read.All | Read audit log entries from Microsoft Entra ID. Cortex uses this permission to monitor directory changes and assess identity security posture. |
Directory.Read.All | Read directory data including users, groups, and applications from Microsoft Entra ID. Cortex uses this permission to inventory directory objects and assess identity security configurations. |
Domain.Read.All | Read all domain properties in Entra ID. Cortex uses this to assess domain configurations as part of identity security posture management. |
EntitlementManagement.Read.All | Read access packages and entitlement management configurations from Microsoft Entra ID. Cortex uses this permission to assess identity governance policies and access lifecycle management. |
GroupMember.Read.All | Read group membership details from Microsoft Entra ID. Cortex uses this permission to evaluate group membership configurations for identity security assessment. |
Group.Read.All | Read group properties and memberships from Microsoft Entra ID. Cortex uses this permission to inventory security groups and assess group-based access control configurations. |
IdentityProvider.Read.All | Read identity provider configurations in Entra ID. Cortex uses this to assess federated identity provider settings as part of identity security posture management. |
Organization.Read.All | Read organization properties and settings from Microsoft Entra ID. Cortex uses this permission to assess tenant-level security configurations and organizational policies. |
Policy.Read.All | Read organization policies including conditional access from Microsoft Entra ID. Cortex uses this permission to evaluate conditional access, authentication, and authorization policies. |
Policy.Read.AuthenticationMethod | Read authentication method policies in Entra ID. Cortex uses this to assess the authentication methods policy configuration for security posture evaluation. |
RoleAssignmentSchedule.Read.Directory | Read role assignment schedules in Entra ID. Cortex uses this to inventory Privileged Identity Management (PIM) role assignments and assess privileged access configurations as part of identity security posture management. This permission is supported in commercial cloud environments only and is not available in government cloud regions. |
RoleManagement.Read.All | Read role definitions and role assignments from Microsoft Entra ID. Cortex uses this permission to assess privileged access configurations and role-based access control posture. |
User.Read.All | Read user profiles and properties from Microsoft Entra ID. Cortex uses this permission to inventory user accounts and assess identity security configurations. |
Conditional (opt-in). Deployed only when the customer enables Audit Logs. Routes Azure Activity Log (and at Tenant scope, Entra ID logs) to a Cortex-owned Event Hub, read by a dedicated Audit UAMI.
Microsoft built-in Azure RBAC role granting receive access to messages in an Event Hub. Permissions are maintained and documented by Microsoft, and are not listed here.
Created when | Audit Logs capability enabled. |
Assigned to | Customer-owned Audit UAMI cortexAuditUAMI-{suffix}. |
Assignment scope | The Cortex-created Event Hub Namespace CortexEventHubNamespace-{suffix} only. No access to any customer-owned Event Hub. |
Used by | Cortex, to read Activity Log (and at Tenant scope, Entra ID log) events from the Cortex-owned Event Hub. Cortex authenticates as the Audit UAMI via Workload Identity Federation. |
Microsoft built-in Azure RBAC role granting read, write, and delete access to blob data in a Storage Account. Permissions are maintained and documented by Microsoft, and are not listed here.
Created when | Audit Logs capability enabled. |
Assigned to | Customer-owned Audit UAMI cortexAuditUAMI-{suffix}. |
Assignment scope | The Cortex-created Storage Account cxa{suffix} only. No access to any customer-owned Storage Account. |
Used by | Cortex, to write Event Hub processing checkpoints (offsets and sequence numbers, no customer data). |
The Agentless Disk Scanning (ADS) permissions enable Cortex to securely analyze virtual machine workloads and storage resources without installing software agents. These permissions grant the necessary access to create temporary snapshots, manage disk copies, and inventory VM metadata, allowing Cortex to perform deep vulnerability scanning while keeping production environments completely untouched.
ADSConnectorDiskRole-{suffix}Custom Azure RBAC role granting read, write, and delete access to managed disks.
Created when | ADS capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | Matches the onboarded scope. |
Used by | Cortex ADS scanner during a scan run, to materialize a snapshot as a temporary disk, attach it to a scanner instance, and remove it on completion. |
ADSConnectorDiskRole permissions:
Permission | Description |
|---|---|
Microsoft.Compute/disks/delete | Delete disks after scanning has finished. This action is critical for remediation and resource hygiene, preventing data exfiltration and reducing the attack surface. It ensures that temporary disks used during analysis do not remain as dangling resources. |
Microsoft.Compute/disks/read | Retrieve disk metadata. This is used to identify disk properties and states, such as detecting dangling disks. It ensures accurate inventory and assessment of storage resources within the environment. |
Microsoft.Compute/disks/write | Create a disk from a snapshot before attaching it to a workload. This permission is essential for dynamic scanning and analysis without affecting the live environment. It allows the creation of a temporary disk copy to be analyzed securely by the scanner. |
Custom Azure RBAC role granting read access to Azure Compute Gallery images and to Compute images. Read-only.
Created when | ADS capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | Matches the onboarded scope. |
Used by | Cortex ADS scanner to identify VM images that are candidates for scanning. |
ADSConnectorGalleryImageRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Compute/disks/beginGetAccess/action | Begin get access on disks (action). Cortex uses this for security assessment and operational visibility across the Azure environment. |
Microsoft.Compute/galleries/images/read | Read gallery images in order to create disks for image scanning. Cortex uses this to inventory VM images and identify those requiring security assessment and vulnerability scanning as part of agentless disk scanning operations. |
ADSConnectorSnapshotRole-{suffix}Custom Azure RBAC role granting create and delete access to disk snapshots.
Created when | ADS capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | The Cortex-created resource group. |
Used by | Cortex ADS scanner at the start of a scan run, to snapshot the customer VM disk, and at the end, to delete the snapshot. |
ADSConnectorSnapshotRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Compute/snapshots/delete | Delete snapshots after scanning has finished. This action is critical for remediation and resource hygiene, preventing data exfiltration and reducing the attack surface. It ensures that temporary snapshots used during analysis do not remain as dangling resources. |
Microsoft.Compute/snapshots/write | Create a snapshot of a disk. This permission is essential for dynamic scanning and analysis without affecting the live environment. It allows the creation of a temporary disk copy to be analyzed securely by the scanner. |
ADSConnectorVMRole-{suffix}Custom Azure RBAC role granting read access to virtual machine metadata. Read-only.
Created when | ADS capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | Matches the onboarded scope. |
Used by | Cortex ADS scanner, on each scan cycle, to enumerate VMs and identify scanning targets. |
ADSConnectorVMRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Compute/virtualMachines/read | Enable reading VM configurations. Cortex uses this to inventory virtual machines and identify those requiring security scanning. |
ADSGalleryImagesRole-{suffix}Custom Azure RBAC role granting create and delete access to Azure Compute Gallery image versions.
Created when | ADS capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | The Cortex-created resource group. |
Used by | Cortex ADS scanner during a scan run, to publish and later remove the Compute Gallery image version used to boot the scanner instance. |
ADSGalleryImagesRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Compute/galleries/images/delete | Delete temporary gallery images within Cortex-managed resource groups. Cortex uses this to clean up temporary gallery images created during legacy image scanning, ensuring no stale resources remain after analysis is complete. |
Microsoft.Compute/galleries/images/versions/delete | Delete temporary gallery image versions after legacy image scanning completes. Cortex uses this to clean up temporary image versions created during the scanning process, ensuring no orphaned resources remain in Cortex-managed resource groups. |
Microsoft.Compute/galleries/images/versions/read | Read gallery image version details within Cortex-managed resource groups. Cortex uses this to track the status of temporary image versions created during legacy image scanning operations. |
Microsoft.Compute/galleries/images/versions/write | Create temporary gallery image versions within Cortex-managed resource groups. Cortex uses this during legacy image scanning to create temporary image versions that facilitate the scanning process. |
Microsoft.Compute/galleries/images/write | Create temporary gallery images within Cortex-managed resource groups. Cortex uses this during legacy image scanning to create temporary gallery images that facilitate the scanning process. |
ADSOutpostRole-{suffix}Custom Azure RBAC role granting read access to disk snapshot metadata. Read-only.
Created when | ADS capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | Matches the onboarded scope. |
Used by | Cortex ADS scanner to inspect existing disk snapshots and track scanning progress. |
ADSOutpostRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Compute/snapshots/read | Read snapshot metadata across the tenant to manage ADS scan snapshot lifecycle |
Conditional (opt-in). Deployed only when serverless scanning is enabled. Retrieves Function App / Web App publish profiles to download function code for scanning.
serverlessScanningRole-{suffix}Custom Azure RBAC role granting read access to App Service and Function App configuration, and the ability to retrieve the publish profile.
Created when | Serverless Scanning capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | Matches the onboarded scope. |
Used by | Cortex serverless scanner, on each scan cycle, to retrieve Function App and Web App code for analysis. |
serverlessScanningRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Web/sites/config/list/action | List the non-public App Service / Function App configuration values, including app settings and connection strings. Cortex uses this to identify the function's runtime, handler, and referenced packages so it can correctly pull and scan the deployment artifact. |
Microsoft.Web/sites/publishxml/action | Retrieve the App Service / Function App publishing profile (the .publishsettings XML containing deployment credentials and Kudu/SCM endpoints). Cortex uses these credentials only to download the function's deployed code package for serverless vulnerability scanning, and never modifies the site or its configuration. |
Microsoft.Web/sites/read | Read App Service and Function App resource metadata such as name, resource group, runtime stack, and SKU. Cortex uses this to discover the inventory of serverless workloads that should be scanned and to correlate scan findings back to each function. |
Conditional (opt-in). This capability is deployed only when Registry Scanning is enabled. This capability adds container registry pull/read for image scanning. If the Private Registry sub-flow is enabled, the capability also includes a private-endpoint-approval permissions.
registryScanningRole-{suffix}Custom Azure RBAC role granting pull access to Azure Container Registry images and read access to registry metadata. Read-only on registry data plane.
Created when | Registry Scanning capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | Subscription. |
Used by | Cortex container-image scanner, on each scan cycle, to fetch images for analysis. |
registryScanningRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.ContainerRegistry/registries/pull/read | Read/pull from container registries. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.ContainerRegistry/registries/read | Read the configuration and properties of Azure Container Registry (ACR) instances. Cortex uses this to assess container registry security settings such as export configurations as part of automation workflows. This read-only access does not modify any registry resources. |
azurePrivateRegistryRole-{suffix}Custom Azure RBAC role granting permission to approve private endpoint connections to Azure Container Registry. Used to enable Cortex to reach customer registries that have public network access disabled.
Created when | Both private registry connection and registry scanning are active. |
Assigned to | Cortex Service Principal. |
Assignment scope | Subscription. |
Used by | Cortex, to approve private endpoint connections so it can pull images from registries that have public access disabled. |
azurePrivateRegistryRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.ContainerRegistry/registries/PrivateEndpointConnectionsApproval/action | Approve private endpoint connections to container registries. Cortex uses this permission to enable private connectivity for registry scanning, invoked only when a security policy violation is detected. |
Conditional (opt-in). Deployed only when Data Security Posture Management is enabled. This capability assesses how customer data is stored, configured, and protected by reading data-store metadata, sampling data content for classification, and inspecting encryption and network configuration.
dspmConnectorRGRole-{suffix}Custom Azure RBAC role granting permission to manage scanning infrastructure inside the Cortex-created resource group: virtual networks, route tables, network security groups, SQL servers, SQL databases, and SQL managed instances. All write and delete actions are scoped to the Cortex resource group and cannot affect customer-owned resources outside of it.
Created when | DSPM capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | The Cortex-created resource group. |
Used by | Cortex DSPM scanner to provision and tear down the network and SQL infrastructure used for the clone-scan workflow inside the Cortex resource group. |
dspmConnectorRGRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Network/networkSecurityGroups/delete | Delete network security groups within Cortex-managed resource groups. Cortex uses this to clean up temporary network security configurations after data classification operations are complete, ensuring no stale security resources remain. |
Microsoft.Network/networkSecurityGroups/join/action | Associate network security groups with subnets or network interfaces within Cortex-managed resource groups. Cortex uses this to apply network access controls to scanning infrastructure, ensuring secure and isolated communication for data classification operations. |
Microsoft.Network/networkSecurityGroups/securityRules/delete | Delete a Network Security Group (NSG) rule to stop overly permissive outbound traffic. Cortex uses this to remediate issues detected by the "Azure Network Security Group with overly permissive outbound rule" rule. This automated remediation tightens network security by removing rules that allow excessive access. Required for command: azure-nsg-security-rule-delete. |
Microsoft.Network/networkSecurityGroups/securityRules/write | Modify or creates Network Security Group (NSG) rules to stop overly permissive outbound traffic. Cortex uses this to remediate issues detected by the "Azure Network Security Group with overly permissive outbound rule" rule. This automated remediation restricts network access to only what is necessary. Required for command: azure-nsg-security-rule-create. |
Microsoft.Network/networkSecurityGroups/write | Create or updates network security groups within Cortex-managed resource groups. Cortex uses this to configure network access controls for scanning infrastructure, ensuring that only authorized traffic flows between scanning components. |
Microsoft.Network/routeTables/delete | Delete route tables within Cortex-managed resource groups. Cortex uses this to clean up temporary routing configurations after data classification operations are complete, ensuring no stale network resources remain. |
Microsoft.Network/routeTables/join/action | Associate route tables with subnets within Cortex-managed resource groups. Cortex uses this to apply routing configurations to scanning network segments, ensuring proper traffic management for data classification operations. |
Microsoft.Network/routeTables/write | Create or updates route tables within Cortex-managed resource groups. Cortex uses this to configure network routing for scanning infrastructure, ensuring proper traffic flow between scanning components and database resources. |
Microsoft.Network/virtualNetworks/delete | Delete virtual networks within Cortex-managed resource groups. Cortex uses this to clean up temporary network infrastructure after data classification operations are complete, ensuring no stale network resources remain in the environment. |
Microsoft.Network/virtualNetworks/join/action | Associate virtual networks with subnets within Cortex-managed resource groups. Cortex uses this to establish network connectivity for scanning infrastructure used in data classification operations. |
Microsoft.Network/virtualNetworks/subnets/delete | Delete virtual network subnets within Cortex-managed resource groups. Cortex uses this to clean up temporary network infrastructure after data classification operations are complete, ensuring no stale network resources remain. |
Microsoft.Network/virtualNetworks/subnets/join/action | Associate subnets with resources within Cortex-managed resource groups. Cortex uses this to connect scanning VMs and database resources to the appropriate network segments for secure data classification operations. |
Microsoft.Network/virtualNetworks/subnets/write | Create or updates subnets within Cortex-managed virtual networks. Cortex uses this to configure network segmentation for scanning infrastructure, ensuring secure and isolated communication between scanning components. |
Microsoft.Network/virtualNetworks/write | Create or updates virtual networks within Cortex-managed resource groups. Cortex uses this to provision network infrastructure required for secure connectivity between scanning VMs and temporary database resources used for data classification. |
Microsoft.Sql/managedInstances/* | Perform administrative actions on Azure SQL Managed Instances within Cortex-managed resource groups, including creation, configuration, and data management. Cortex uses this to provision and manage temporary SQL Managed Instance infrastructure for data classification of managed instance databases. |
Microsoft.Sql/servers/databases/delete | Delete Palo Alto Networks' Azure SQL server databases that are no longer needed. Cortex uses this to clean up temporary database copies after data classification operations are complete, ensuring no stale data assets remain in the environment. |
Microsoft.Sql/servers/databases/read | Read SQL server databases. Cortex uses this for comprehensive asset discovery and security posture assessment across the Azure environment. |
Microsoft.Sql/servers/databases/resume/action | Resume paused Azure SQL databases within Cortex-managed resource groups. Cortex uses this to manage the lifecycle of temporary database copies used for data classification, ensuring databases are available when scanning operations need to proceed. |
Microsoft.Sql/servers/databases/write | Copy and manages SQL databases within Palo Alto Networks' Azure SQL servers. Cortex uses this to create temporary database copies for data classification and sensitive data discovery, enabling scanning without impacting production databases. |
Microsoft.Sql/servers/delete | Delete Palo Alto Networks' Azure SQL servers that are no longer needed. Cortex uses this to clean up temporary SQL server infrastructure after data classification operations are complete, ensuring no stale resources remain in the environment. |
Microsoft.Sql/servers/PrivateEndpointConnectionsApproval/action | Approve private endpoint connections to Palo Alto Networks' Azure SQL servers. Cortex uses this to establish secure, private connectivity between scanning infrastructure and temporary SQL servers, ensuring data classification operations occur over private network paths. |
Microsoft.Sql/servers/virtualNetworkRules/write | Configure virtual network rules on Palo Alto Networks' Azure SQL servers to enable network accessibility from scanning VMs. Cortex uses this to establish secure network connectivity between scanning infrastructure and temporary SQL servers used for data classification. |
Microsoft.Sql/servers/write | Create and manages Palo Alto Networks' Azure SQL servers within Cortex-managed resource groups. Cortex uses this to provision temporary SQL server infrastructure required for data classification operations, enabling secure scanning of customer database content. |
*/read | Provide read-only access to get metadata of all managed data assets. Cortex uses this broad read permission to inventory and assess the security posture of all Azure resources without making any modifications. |
dspmConnectorRole-{suffix}Custom Azure RBAC role granting permission to approve storage account private endpoint connections and read storage blob and file share data. Required for the DSPM clone-scan workflow which clones customer SQL databases into the Cortex resource group for offline scanning.
Created when | DSPM capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | Subscription. |
Used by | Cortex DSPM scanner to set up the clone-scan workflow, approve private endpoints, and read storage data. |
dspmConnectorRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Sql/managedInstances/databases/write | Configure SQL Managed Instance database settings. Cortex uses this permission to enable data classification and sensitivity labeling for data security posture management. |
Microsoft.Sql/servers/databases/write | Copy and manages SQL databases within Palo Alto Networks' Azure SQL servers. Cortex uses this to create temporary database copies for data classification and sensitive data discovery, enabling scanning without impacting production databases. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Read blob data to perform DSPM data classification and sensitive data discovery scanning |
Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read | Read file share data to perform DSPM data classification and sensitive data discovery scanning |
Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action | Approve private endpoint connections to storage accounts located in private networks. Cortex uses this to establish secure, private connectivity for DSPM scanning operations, ensuring that data classification can be performed on storage accounts that are not publicly accessible. |
dspmRole-{suffix}Custom Azure RBAC role granting read access to customer data-store metadata and the ability to sample data content from supported data services for security posture assessment.
Created when | DSPM capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | Subscription. |
Used by | Cortex DSPM scanner, to discover customer data assets, retrieve the keys needed to scan them, and read the data for classification. |
dspmRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.CognitiveServices/accounts/AIServices/agents/read | Read AI Services agent configurations to inventory AI agents for DSPM posture assessment |
Microsoft.CognitiveServices/accounts/AIServices/connections/read | Read AI Services connections to map data flows and integration points for DSPM |
Microsoft.CognitiveServices/accounts/AIServices/fine_tuning/read | Read AI Services fine-tuning data to discover and classify training data for DSPM |
Microsoft.CognitiveServices/accounts/OpenAI/files/read | Read OpenAI files to discover and classify data within Azure OpenAI deployments for DSPM |
Microsoft.CognitiveServices/accounts/OpenAI/fine-tunes/read | Read OpenAI fine-tuning data to discover and classify training data for DSPM |
Microsoft.CognitiveServices/accounts/OpenAI/models/read | Read OpenAI model metadata to inventory AI models for DSPM posture assessment |
Microsoft.DocumentDB/databaseAccounts/readOnlyKeys/action | Read Cosmos DB read-only keys to authenticate data access for DSPM scanning of document databases |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Read blob data to perform DSPM data classification and sensitive data discovery scanning |
Microsoft.Storage/storageAccounts/blobServices/containers/read | Read blob container metadata to discover and inventory blob data stores for DSPM scanning |
Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read | Read file share data to perform DSPM data classification and sensitive data discovery scanning |
Microsoft.Storage/storageAccounts/fileServices/shares/read | Read file share metadata to discover and inventory file share data stores for DSPM scanning |
Microsoft.Storage/storageAccounts/read | Read storage account properties to discover and inventory data stores for DSPM scanning |
dspmRole-{suffix} (outpost variant)Custom Azure RBAC role granting read access to customer data-store metadata on outposts and the ability to sample data content from supported data services for security posture assessment. The outpost has the targeted read-only and authentication permissions required to securely discover, index, and classify sensitive data entirely from within your environment.
Created when | DSPM capability enabled for outposts. |
Assigned to | Cortex Service Principal. |
Assignment scope | Subscription. |
Used by | Cortex DSPM outpost scanner, to discover customer data assets, retrieve the keys needed to scan them, and read the data for classification. |
dspmRole-{suffix} (outpost variant) permissions:
Permission | Description |
|---|---|
Microsoft.CognitiveServices/accounts/AIServices/agents/read | Read AI Services agent configurations to inventory AI agents for DSPM posture assessment |
Microsoft.CognitiveServices/accounts/AIServices/connections/read | Read AI Services connections to map data flows and integration points for DSPM |
Microsoft.CognitiveServices/accounts/AIServices/fine_tuning/read | Read AI Services fine-tuning data to discover and classify training data for DSPM |
Microsoft.CognitiveServices/accounts/OpenAI/files/read | Read OpenAI files to discover and classify data within Azure OpenAI deployments for DSPM |
Microsoft.CognitiveServices/accounts/OpenAI/fine-tunes/read | Read OpenAI fine-tuning data to discover and classify training data for DSPM |
Microsoft.CognitiveServices/accounts/OpenAI/models/read | Read OpenAI model metadata to inventory AI models for DSPM posture assessment |
Microsoft.DocumentDB/databaseAccounts/readOnlyKeys/action | Read Cosmos DB read-only keys to authenticate data access for DSPM scanning of document databases |
Microsoft.Search/searchServices/dataSources/read | Read Azure AI Search data source configurations to map data lineage for DSPM |
Microsoft.Search/searchServices/indexers/read | Read Azure AI Search indexer configurations to understand data ingestion paths for DSPM |
Microsoft.Search/searchServices/indexes/documents/read | Read Azure AI Search index documents to classify and discover sensitive data for DSPM |
Microsoft.Search/searchServices/indexes/read | Read Azure AI Search indexes to discover and classify data within search service indexes |
Microsoft.Search/searchServices/listAdminKeys/action | List admin keys for Azure AI Search to authenticate data access for DSPM scanning |
Microsoft.Search/searchServices/listQueryKeys/action | List query keys for Azure AI Search to authenticate read-only data access for DSPM scanning |
Microsoft.Search/searchServices/PrivateEndpointConnectionsApproval/action | Approve private endpoint connections to Azure AI Search for secure DSPM scanning |
Microsoft.Search/searchServices/read | Read Azure AI Search service properties to discover search services for DSPM scanning |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Read blob data to perform DSPM data classification and sensitive data discovery scanning |
Microsoft.Storage/storageAccounts/blobServices/containers/read | Read blob container metadata to discover and inventory blob data stores for DSPM scanning |
Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read | Read file share data to perform DSPM data classification and sensitive data discovery scanning |
Microsoft.Storage/storageAccounts/fileServices/shares/read | Read file share metadata to discover and inventory file share data stores for DSPM scanning |
Microsoft.Storage/storageAccounts/read | Read storage account properties to discover and inventory data stores for DSPM scanning |
Microsoft built-in Azure RBAC role granting permission to wrap and unwrap encryption keys via Azure Key Vault. Cortex assigns this role whenever DSPM is enabled (in both Cloud Scan and Outpost deployment modes) and uses it to scan SQL servers and databases protected by customer-managed Transparent Data Encryption (TDE) keys.
Created when | DSPM capability is enabled. |
Assigned to | The customer's Outpost Managed Identity. Not assigned to the Cortex Service Principal. |
Assignment scope | Matches the onboarded scope. |
Used by | The Cortex Outpost scanner to decrypt customer SQL data protected by customer-managed TDE keys, so DSPM can read and classify that data. |
Conditional (opt-in). Allows Cortex to automatically remediate misconfigurations on customer Azure resources by modifying networking, storage, compute, identity-protection, and database resource configurations.
Note
Unified Cortex platform cloud content packs require a specific set of automation permissions to enable full integration with your cloud environment. Before configuring access for these packs, review the automation permission scope guidelines.
automationRole-{suffix}Custom Azure RBAC role that grants the Cortex Service Principal write and delete access on customer resources for automated remediation. Cortex uses this role to apply fixes to misconfigurations detected by CSPM across networking, storage, compute, identity protection, and database resource types.
Created when | Automation capability enabled. |
Assigned to | Cortex Service Principal. |
Assignment scope | Subscription. |
Used by | Cortex Automation engine to execute remediation workflows on customer resources when CSPM detects a misconfiguration the customer has authorized Cortex to fix automatically. |
automationRole-{suffix} permissions:
Permission | Description |
|---|---|
Microsoft.Authorization/policyAssignments/read | Read the configuration of Microsoft Defender for Cloud policy assignments. Cortex uses this to assess the current compliance posture and identify policy gaps that may require automated remediation. This read-only access supports security monitoring without modifying any policy configurations. |
Microsoft.Authorization/policyAssignments/write | Apply Microsoft Defender for Cloud policy assignments to enable security configurations monitoring. Cortex uses this to remediate issues detected by the "Azure Microsoft Defender for Cloud security configurations monitoring is set to disabled" rule. This automated remediation ensures that security monitoring remains active across the environment. |
Microsoft.Compute/disks/read | Retrieve disk metadata. This is used to identify disk properties and states, such as detecting dangling disks. It ensures accurate inventory and assessment of storage resources within the environment. |
Microsoft.Compute/disks/write | Create a disk from a snapshot before attaching it to a workload. This permission is essential for dynamic scanning and analysis without affecting the live environment. It allows the creation of a temporary disk copy to be analyzed securely by the scanner. |
Microsoft.Compute/virtualMachines/powerOff/action | Power off an existing Azure Virtual Machine to change its state from Running to Stopped or Deallocated. Cortex uses this for automated incident response such as isolating compromised virtual machines and to stop incurring compute charges without deleting the resource. Required for command: azure-vm-instance-power-off. |
Microsoft.Compute/virtualMachines/read | Enable reading VM configurations. Cortex uses this to inventory virtual machines and identify those requiring security scanning. |
Microsoft.Compute/virtualMachines/start/action | Power on an existing Azure Virtual Machine to change its state from Stopped to Running. Cortex uses this for automation workflows involving VM lifecycle management and enabling authorized operators to restore service availability. Required for command: azure-vm-instance-start. |
Microsoft.Consumption/budgets/read | Read the configuration and current status of established Azure budgets. Cortex uses this for cost monitoring and alerting capabilities, helping maintain visibility into cloud spending patterns. This read-only access does not modify any budget configurations. |
Microsoft.Consumption/usageDetails/read | Read detailed usage information for Azure resources including costs and quantity consumed. Cortex uses this for cloud cost analysis and optimization recommendations, providing visibility into resource consumption patterns. This read-only access supports financial governance without modifying any usage data. |
Microsoft.ContainerRegistry/registries/read | Read the configuration and properties of Azure Container Registry (ACR) instances. Cortex uses this to assess container registry security settings such as export configurations as part of automation workflows. This read-only access does not modify any registry resources. |
Microsoft.ContainerRegistry/registries/write | Update the Azure Container Registry (ACR) configuration to disable exports. Cortex uses this to remediate issues detected by the "Azure Container Registry with exports enabled" rule. This automated remediation helps prevent unauthorized data exfiltration through container registry exports. |
Microsoft.CostManagement/forecast/read | Read predictive forecasts and historical trends for future Azure costs. Cortex uses this to provide predictive cost insights for cloud management, helping organizations plan budgets and identify potential cost anomalies. This read-only access does not modify any cost management data. |
Microsoft.DBforMySQL/flexibleServers/configurations/read | Read the configuration settings of Azure MySQL flexible servers. Cortex uses this to assess database security settings such as SSL enforcement configurations as part of automation workflows. This read-only access does not modify any database configurations. |
Microsoft.DBforMySQL/flexibleServers/configurations/write | Update the Azure MySQL flexible server configuration to enforce SSL connections. Cortex uses this to remediate issues detected by the "Azure MySQL database flexible server SSL enforcement is disabled" rule. This automated remediation ensures encrypted database connections, protecting data in transit. |
Microsoft.DBforPostgreSQL/servers/configurations/read | Read the configuration settings of Azure PostgreSQL servers. Cortex uses this to assess database security settings such as connection throttling parameters as part of automation workflows. This read-only access does not modify any database configurations. |
Microsoft.DBforPostgreSQL/servers/configurations/write | Update Azure PostgreSQL server configurations to enable the connection throttling parameter. Cortex uses this to remediate issues detected by the "Azure PostgreSQL database server with connection throttling parameter is disabled" rule. This automated remediation helps protect databases from brute-force attacks and connection flooding. |
Microsoft.DBforPostgreSQL/servers/read | Read the configuration and properties of Azure PostgreSQL servers. Cortex uses this to inventory databases and assess their security configurations such as SSL connection settings as part of automation workflows. This read-only access does not modify any server resources. |
Microsoft.DBforPostgreSQL/servers/write | Update the Azure PostgreSQL server configuration to enable the SSL connection feature. Cortex uses this to remediate issues detected by the "Azure PostgreSQL database server with SSL connection disabled" rule. This automated remediation ensures encrypted connections to the database, protecting data in transit. |
Microsoft.DocumentDB/databaseAccounts/read | Read the configuration and properties of Azure Cosmos DB database accounts. Cortex uses this to assess NoSQL database security settings such as key-based authentication configurations as part of automation workflows. This read-only access does not modify any database resources. |
Microsoft.DocumentDB/databaseAccounts/write | Modify Azure Cosmos DB accounts to disable key-based metadata write authentication. Cortex uses this to remediate issues detected by the "Azure Cosmos DB key based authentication is enabled" rule. This automated remediation strengthens database security by enforcing Azure Active Directory authentication instead of key-based access. |
Microsoft.Insights/logProfiles/read | Read the configuration of Azure Activity Log profiles. Cortex uses this to assess audit logging coverage and verify that activity log retention periods meet security requirements. This read-only access does not modify any log profile configurations. |
Microsoft.Insights/logProfiles/write | Set the Azure Activity Log retention period to 365 days or more. Cortex uses this to remediate issues detected by the "Azure Activity Log retention should not be set to less than 365 days" rule. This automated remediation ensures adequate audit trail retention for compliance and forensic investigation purposes. |
Microsoft.KeyVault/vaults/read | Read the configuration and properties of Azure Key Vaults. Cortex uses this to assess key management security settings such as recoverability configurations as part of automation workflows. This read-only access does not modify any Key Vault resources. |
Microsoft.KeyVault/vaults/write | Modify Azure Key Vault configurations to ensure recoverability by enabling soft-delete and purge protection. Cortex uses this to remediate issues detected by the "Azure Key Vault is not recoverable" rule. This automated remediation protects against accidental or malicious deletion of cryptographic keys and secrets. |
Microsoft.Network/loadBalancers/backendAddressPools/join/action | Join a load balancer backend address pool. Cortex uses this permission to configure network interfaces during automated remediation, invoked only when a security policy violation is detected. |
Microsoft.Network/networkInterfaces/read | Read the list of Network Security Group (NSG) interfaces and their configurations. Cortex uses this to assess network security settings and identify resources associated with specific NSGs as part of automation workflows. Required for command: azure-nsg-network-interfaces-list. |
Microsoft.Network/networkInterfaces/write | Create or update network interface configurations. Cortex uses this permission to modify network settings during automated remediation, invoked only when a security policy violation is detected. |
Microsoft.Network/networkSecurityGroups/join/action | Associate network security groups with subnets or network interfaces within Cortex-managed resource groups. Cortex uses this to apply network access controls to scanning infrastructure, ensuring secure and isolated communication for data classification operations. |
Microsoft.Network/networkSecurityGroups/read | Read the list and configurations of Network Security Groups (NSGs). Cortex uses this to assess network security posture and identify NSGs that may require remediation. Required for command: azure-nsg-security-groups-list. |
Microsoft.Network/networkSecurityGroups/securityRules/delete | Delete a Network Security Group (NSG) rule to stop overly permissive outbound traffic. Cortex uses this to remediate issues detected by the "Azure Network Security Group with overly permissive outbound rule" rule. This automated remediation tightens network security by removing rules that allow excessive access. Required for command: azure-nsg-security-rule-delete. |
Microsoft.Network/networkSecurityGroups/securityRules/read | Read the configuration of Network Security Group (NSG) rules to assess traffic permissions. Cortex uses this to evaluate whether NSG rules are overly permissive and to determine if remediation is needed. Required for command: azure-nsg-security-rule-get. |
Microsoft.Network/networkSecurityGroups/securityRules/write | Modify or creates Network Security Group (NSG) rules to stop overly permissive outbound traffic. Cortex uses this to remediate issues detected by the "Azure Network Security Group with overly permissive outbound rule" rule. This automated remediation restricts network access to only what is necessary. Required for command: azure-nsg-security-rule-create. |
Microsoft.Network/networkSecurityGroups/write | Create or updates network security groups within Cortex-managed resource groups. Cortex uses this to configure network access controls for scanning infrastructure, ensuring that only authorized traffic flows between scanning components. |
Microsoft.Network/publicIPAddresses/join/action | Associate a public IP address with a network resource. Cortex uses this permission to manage public IP associations during automated remediation, invoked only when a security policy violation is detected. |
Microsoft.Network/publicIPAddresses/read | Read and lists Network Security Group (NSG) and VM public IP addresses and their details. Cortex uses this to identify externally exposed resources and assess their security posture as part of automation workflows. Required for commands: azure-nsg-public-ip-addresses-list and azure-vm-public-ip-details-get. |
Microsoft.Network/virtualNetworks/subnets/join/action | Associate subnets with resources within Cortex-managed resource groups. Cortex uses this to connect scanning VMs and database resources to the appropriate network segments for secure data classification operations. |
Microsoft.resources/subscriptions/read | Read the status and details of Azure subscriptions. Cortex uses this to understand the Azure environment structure and enumerate available subscriptions for automation workflows. Required for command: azure-nsg-subscriptions-list. |
Microsoft.resources/subscriptions/resourceGroups/read | Read the status and details of resource groups within a subscription. Cortex uses this to inventory Azure resources and understand the organizational structure of the environment. Required for command: azure-nsg-resource-group-list. |
Microsoft.Sql/servers/databases/securityAlertPolicies/read | Read the security alert policy configuration for Azure SQL Databases. Cortex uses this to assess database threat detection configurations and determine whether email notifications for Threat Detection are properly enabled. This read-only access does not modify any security alert policies. |
Microsoft.Sql/servers/databases/securityAlertPolicies/write | Update the security alert policy for Azure SQL Databases to enable email notifications for Threat Detection. Cortex uses this to remediate issues detected by the "Azure SQL Databases with disabled Email service and co-administrators for Threat Detection" rule. This automated remediation ensures that security alerts are properly communicated to administrators. |
Microsoft.Sql/servers/databases/transparentDataEncryption/read | Read the Transparent Data Encryption (TDE) status for Azure SQL databases. Cortex uses this to assess database encryption posture and determine whether TDE is properly enabled. This read-only access does not modify any encryption settings. |
Microsoft.Sql/servers/databases/transparentDataEncryption/write | Enable Transparent Data Encryption (TDE) on Azure SQL databases. Cortex uses this to remediate issues detected by the "Azure SQL database Transparent Data Encryption (TDE) encryption disabled" rule. This automated remediation ensures that data at rest is encrypted, protecting sensitive information stored in the database. |
Microsoft.Storage/storageAccounts/blobServices/containers/delete | Delete Azure Storage account blob service containers. Cortex uses this for automated cleanup of misconfigured storage containers as part of remediation workflows. Required for command: azure-storage-container-delete. |
Microsoft.Storage/storageAccounts/blobServices/containers/read | Read blob container metadata to discover and inventory blob data stores for DSPM scanning |
Microsoft.Storage/storageAccounts/blobServices/containers/setAcl/action | Set or modifies the access control list (ACL) for folders or files within a storage container. Cortex uses this for automated remediation of storage access configurations, ensuring that container permissions align with security best practices. |
Microsoft.Storage/storageAccounts/blobServices/containers/write | Modify Azure Storage account blob service container configurations. Cortex uses this for automated storage security remediation, enabling updates to container properties and access settings. Required for command: azure-storage-blob-containers-update. |
Microsoft.Storage/storageAccounts/blobServices/read | Read the configuration of Azure Storage account blob services. Cortex uses this to assess storage security posture, including soft delete settings, as part of automation workflows. Required for command: azure-storage-blob-service-properties-get. |
Microsoft.Storage/storageAccounts/blobServices/write | Enable soft delete functionality on Azure Storage account blob services. Cortex uses this to remediate issues detected by the "Azure Storage account soft delete is disabled" rule. This automated remediation ensures that deleted blobs can be recovered, protecting against accidental or malicious data loss. |
Microsoft.Storage/storageAccounts/read | Read storage account properties to discover and inventory data stores for DSPM scanning |
Microsoft.Storage/storageAccounts/write | Enable access for trusted Microsoft services on Azure Storage Accounts. Cortex uses this to remediate issues detected by the "Azure Storage Account 'Trusted Microsoft Services' access not enabled" rule. This automated remediation ensures that essential Azure services can securely access storage resources. |
Microsoft.Web/sites/config/read | Read the configuration settings of Azure App Service Web apps. Cortex uses this to assess web application security settings such as HTTP version and HTTPS enforcement as part of automation workflows. This read-only access does not modify any App Service configurations. |
Microsoft.Web/sites/config/write | Set the HTTP version to 2.0 within the Azure App Service Web app configuration. Cortex uses this to remediate issues detected by the "Azure App Service Web app doesn't use HTTP 2.0" rule. This automated remediation ensures that web applications use the latest HTTP protocol for improved performance and security. |
Microsoft.Web/sites/read | Read the status and properties of Azure App Service Web apps. Cortex uses this to inventory web applications and assess their security configurations such as HTTPS enforcement as part of automation workflows. This read-only access does not modify any App Service resources. |
Microsoft.Web/sites/write | Set the HTTPS-only feature for Azure App Service Web apps to enforce redirection from HTTP to HTTPS. Cortex uses this to remediate issues detected by the "Azure App Service Web app doesn't redirect HTTP to HTTPS" rule. This automated remediation ensures that all web traffic is encrypted in transit. Required for command: azure-webapp-update. |