Onboarding in Azure
Saner CNAPP Login
Soon after logging in, the following roles can perform onboarding activities:
- Admin
- Org Admin
[Mandatory] Roles for Detection and Monitoring
| Role | Description |
|---|---|
| Security Reader | Provides insights into Resource Detection and Monitoring. Grants read-only access to security-related information. This role is restricted from making changes; however, can review resource configurations and detect issues. Click to read more… |
| Reader | This role is restricted from making changes; however, can review resource configurations and detect issues. Click to read more… |
RBAC Permissions for Remediation in Azure
The following list of configured RBAC (Role-Based Access Control) permissions includes all the permissions necessary for remediation.
| Action | Permission | Description |
|---|---|---|
| policyAssignments/write cyAssignments | Write | Create a policy assignment at the specified scope Click here to read more… |
| Compute/disks/ | Write | Write permissions to critical security and infrastructure components such as: Compute- VMs, Disks |
| Compute/virtualMachines/write | Write | Creates a new virtual machine or updates an existing virtual machine |
| Flexible Servers | Write | With this configuration setting, you can customize the database parameters according to your needs Click here to read more… |
| Servers | Write | Define and customize server settings within your infrastructure Click here to read more… |
| Activity Log Alerts | Write | Monitor management operations and security-related changes across your Azure environment Click here to read more… |
| Diagnostic Settings | Write | Configure diagnostic settings for Azure resources and manage monitoring and analysis Click here to read more… |
| Log profiles | Write | Configure activity log profiles in Azure Click here to read more… |
| Vaults | Write | Create and manage Azure Key Vaults, which store and control access to secrets, encryption keys, and certificates securely Click here to read more… |
| Network Security Groups | Write | With this configuration control inbound and outbound traffic to and from Azure resources Click here to read more… |
| NetworkWatchers/flowLogs | Write | Configure “NSG Flow Logs”, which capture network traffic passing through a Network Security Group (NSG). These logs help with monitoring, troubleshooting, and security analysis by providing visibility into allowed and denied network traffic Click here to read more… |
| Pricings | Write | With this configuration in Azure, modify security features for different Azure resources, such as virtual machines, storage accounts, Kubernetes, databases, and more Click here to read more… |
| Security Contacts | Write | Configure security contact details to receive security alerts, notifications, and threat intelligence reports related to security incidents in your Azure environment Click here to read more… |
| Servers/administrators | Write | Using this configuration, manage authentication and access control for your SQL databases using Azure Active Directory (AAD) Click here to read more… |
| Advanced Threat Protection Settings | Write | Configure Advanced Threat Protection (ATP) for an Azure SQL Server to detect and respond to potential security threats in your SQL databases Click here to read more… |
| Auditing Settings | Write | Configure auditing for an Azure SQL Server to track database activities, detect security threats, and ensure compliance by logging events to Azure Storage, Log Analytics, or Event Hubs Click here to read more… |
| Security Alert Policies | Write | Configure security alert policies for an Azure SQL database to detect and respond to potential security threats by sending alerts for suspicious database activities Click here to read more… |
| Databases/transparent Data Encryption | Write | Enable or disable Transparent Data Encryption (TDE) for an Azure SQL Database to protect data at rest by automatically encrypting the database, associated backups, and transaction log files Click here to read more… |
| Encryption Protector | Write | By Configuring and updating the encryption protector setting for an Azure SQL Server, you determine if the server uses Microsoft-managed keys or customer-managed keys (CMK) for Transparent Data Encryption (TDE) Click here to read more… |
| Firewall Rules | Write | Create or update firewall rules for an Azure SQL Server to define which IP addresses or ranges are allowed to connect to databases hosted on the server Click here to read more… |
| SecurityAlertPolicies | Write | This configuration helps monitor, detect, and respond to suspicious database activity Click here to read more… |
| Vulnerability Assessments | Write | Configure and update vulnerability assessments for an Azure SQL Server to detect security vulnerabilities, misconfigurations, and compliance issues in your SQL databases Click here to read more… |
| Vulnerability Assessments | Delete | Removes a SQL Server vulnerability assessment, effectively disabling or deleting the vulnerability assessment settings for a specific server |
| StorageAccounts/blobServices | Write | With this configuration create or update settings for Blob services in an Azure Storage Account Click here to read more… |
| StorageAccounts/regenerateKey | Action | Regenerate (reset) the access keys for an Azure Storage Account to authenticate and authorize access to the storage services (Blobs, Queues, Tables, and Files). Click here to read more… |
| StorageAccounts | Write | Configuration related to Azure Storage Accounts and grants the ability to create or update a storage account in Azure Click here to read more… |
| Config | Write | Permission setting that grants the ability to create or update a storage account in Azure Click here to read more… |
| Sites | Write | Permission setting that allows users to create, modify, and update Azure App Services, including Web Apps, API Apps, and Function Apps Click here to read more… |
| Network Watchers | Write | Permission setting that allows users to create, modify, and update Azure Network Watchers Click here to read more… |
| Role Assignments | Delete | Permission to remove role assignments in Azure Role-Based Access Control (RBAC), where a user with this permission can revoke access from other users, groups, or service principals Click here to read more… |
Summary of Permissions and Actions for Custom Role
| Permission | Action |
|---|---|
| Write | Write permissions to critical security and infrastructure components such as: — Compute: VMs, Disks — Databases: MySQL, PostgreSQL, SQL Server — Security & Monitoring: Activity log alerts, Diagnostic settings, Security settings — Networking: NSGs, Flow Logs, Network Watchers — Storage: Storage accounts, Key regeneration — Web Apps: Azure Web Apps (Sites) |
| Modify | Modify Security policies, firewall rules, and role assignments |
| Regenerate | Regenerate Storage Account Keys |
| Delete | — Delete Security Vulnerability Assessments — Remove role assignments |
| Not Actions | No explicit restriction on what the custom role cannot do |
Roles and Permissions at Application Level
| Application-Specific Role | Permission |
|---|---|
| Cloud Application Administrator | Manages application registrations, policy creation and related permission |
| Subscription-level Administrator | Can create, edit, or attach other roles to the user |
Microsoft Graph API Permissions in Azure
Applications are authorized to call APIs when they are granted permissions by users/admins as part of the consent process. The following list of configured permissions ( sp-saner-cnapp-azure-graph-api-perm) includes all the permissions the application needs.
| Permission | Type | Description |
|---|---|---|
| Application.Read.All | Application | Read all applications |
| Application.ReadWrite.All | Application | Modify all applications |
| Application.ReadWrite.OwnedBy | Application | Manage apps that this application creates or owns |
| AuditLog.Read.All | Application | Read all audit log data |
| CustomSecAttributeAssignment.Read.All | Application | Read custom security attribute assignments |
| DeviceManagementConfiguration.Read.All | Application | Read Microsoft Intune device configuration and policies |
| DeviceManagementConfiguration.ReadWrite.All | Application | Modify Microsoft Intune device configuration and policies |
| DeviceManagementManagedDevices. PrivilegedOperations | Application | Perform user-impacting remote actions on Microsoft Intune Devices |
| DeviceManagementManagedDevices.Read.All | Application | Read Microsoft Intune devices |
| DeviceManagementManagedDevices.ReadWrite.All | Application | Modify Microsoft Intune devices |
| Directory.Read.All | Application | Read directory data |
| EntitlementManagement.Read.All | Application | Read all entitlement management resources |
| EntitlementManagement.ReadWrite.All | Application | Modify all entitlement management resources |
| Group.Create | Application | Create groups |
| Group.Read.All | Application | Read all groups |
| Group.ReadWrite.All | Application | Read and write all groups |
| GroupMember.Read.All | Application | Read all group memberships |
| IdentityRiskEvent.Read.All | Application | Read all identity risk event information |
| Organization.Read.All | Application | Read organization information |
| Policy.Read.All | Application | Read your organization’s policies |
| Policy.Read.ConditionalAccess | Application | Read your organization’s conditional access policies |
| Policy.ReadWrite.AuthenticationMethod | Application | Modify all authentication method policies |
| Policy.ReadWrite.Authorization | Application | Modify your organizations authorization policy |
| Policy.ReadWrite.ConditionalAccess | Application | Modify your organization’s conditional access policies |
| Policy.ReadWrite.DeviceConfiguration | Application | Modify your organization’s device configuration policies |
| Reports.Read.All | Application | Read all users’ full profiles |
| RoleManagement.Read.All | Application | Read role management data for all RBAC providers |
| RoleManagementAlert.Read.Directory | Application | Read all alert data for your company’s directory |
| RoleManagementPolicy.Read.Directory | Application | Read all policies for privileged role assignments for your company’s directory |
| SecurityAlert.Read.All | Application | Read all security alerts |
| SecurityAlert.ReadWrite.All | Application | Read and write to all security alerts |
| SecurityEvents.Read.All | Application | Read your organization’s security events |
| SecurityEvents.ReadWrite.All | Application | Modify your organization’s security events |
| ServicePrincipalEndpoint.Read.All | Application | Read service principal endpoints |
| User.Read.All | Application | Read all users’ full profiles |
| User.ReadWrite.All | Application | Read and write all users’ full profiles |
| UserAuthenticationMethod.Read.All | Application | Read all users’ authentication methods |
| UserAuthenticationMethod.ReadWrite.All | Application | Read and write all users’ authentication methods |
