Permissions and Resources
Review Azure Roles and Permissions
Security Principals
There are two security principals involved in the onboarding process:
- Installer: The primary security principal, either a User or a Service Principal. This security principal will be used to perform the onboarding. Sysdig does not have access to this security principal.
- Sysdig: A Service Principal (robot user) created during onboarding with specific, less permissive roles. Sysdig will be given access to this security principal.
Azure Role Types
Azure IAM is seperated into two control planes:
- Entra ID Roles: Applied to the entire Tenant.
- Azure RBAC Roles: Applied to the Subscription or Management Group being onboarded.
Base Azure Integration - Cloud Security Posture Management (CSPM)
Agentless Cloud Security Posture Management (CSPM) assesses and manages the security posture of your cloud resources without requiring agents.
Permissions Required to Install
The Installer must have at least the following roles assigned:
| Role Type | Role | Description |
|---|---|---|
| Entra ID | Application Administrator | Required to create a Service Principal associated with a Sysdig-owned application. |
| Entra ID | Privileged Role Administrator | Required to assign the Directory Reader Entra ID role to the created Service Principal. |
| Azure RBAC | User Access Administrator | Required to attach Azure RBAC roles to the created Service Principal. |
Permissions Granted to Sysdig
The Sysdig Service Principal will be granted the following roles:
| Role Type | Role | Description |
|---|---|---|
| Entra ID | Directory Readers | Allows Sysdig to list Users and Service Principals. |
| Azure RBAC | Reader | Allows Sysdig to list resources within your Subscriptions. |
| Azure RBAC | Custom Role containing: Microsoft.Web/sites/config/list/action | Allows Sysdig to collect the AuthSettings object required by certain CSPM controls. |
Resources Created
The following resources will be created in your Azure Environment:
| Resource | Description |
|---|---|
azuread_service_principal | Service principal used by Sysdig for secure posture management |
azuread_directory_role_assignment | Assigns the “Directory Reader” role to the Sysdig Service Principal |
azurerm_role_assignment | Assigns the “Reader” role to the Sysdig Service Principal. For single subscription installs this is applied at on the Subscription, and for Tenant installs this is applied to the root Management Group. |
azurerm_role_definition | Custom role definition containing: Microsoft.Web/sites/config/list/action |
azurerm_role_assignment | Assigns the custom role to the Sysdig Service Principal |
Cloud Detection and Response (CDR)
Agentless Cloud Detection and Response (CDR) performs threat detection using Falco rules and policies on platform logs.
Permissions Required to Install
The Installer must have at least the following roles assigned:
| Role Type | Role | Description |
|---|---|---|
| Entra ID | Application Administrator | Required to create a Service Principal associated with a Sysdig-owned application. |
| Entra ID | Security Administrator | Required to create Entra ID Diagnostic Settings. |
| Azure RBAC | Owner | Required to attach Azure RBAC roles to the created Service Principal, and create Resource Groups, Event Hub resources and Diagnostic Settings. |
Permissions Granted to Sysdig
The Sysdig Service Principal will be granted the following roles:
| Role Type | Role | Description |
|---|---|---|
| Azure RBAC | Azure Event Hubs Data Receiver | Allows Sysdig to receive data from Event Hubs. |
Resources Created
The following resources will be created in your Azure Environment:
| Resource | Description |
|---|---|
azuread_service_principal | Service principal for Event Hub integration |
azurerm_resource_group | Resource group to contain the Event Hub and related resources |
azurerm_eventhub_namespace | Namespace for the Event Hub |
azurerm_eventhub | Event Hub for log ingestion |
azurerm_eventhub_consumer_group | Consumer group within the Event Hub |
azurerm_eventhub_namespace_authorization_rule | Authorization rule for the Event Hub namespace |
azurerm_role_assignment | Assigns the “Azure Event Hubs Data Receiver” role to the Sysdig service principal for the Event Hub namespace |
azurerm_monitor_diagnostic_setting | Diagnostic settings for the subscription |
azurerm_monitor_aad_diagnostic_setting | Diagnostic settings for Entra ID |
Vulnerability Management Agentless Host Scanning
Vulnerability Management Agentless Host Scanning performs vulnerability scanning using disk snapshots and Azure Lighthouse for accurate risk assessment and management.
Permissions Required to Install
The Installer must have at least the following roles assigned:
| Role Type | Role | Description |
|---|---|---|
| Entra ID | Application Administrator | Required to create a Service Principal associated with a Sysdig-owned application. |
| Entra ID | Privileged Role Administrator | Required to assign Entra ID roles to the created Service Principal. |
| Azure RBAC | User Access Administrator | Required to create Azure Lighthouse Definition and Assignment. |
Permissions Granted to Sysdig
The Sysdig Service Principal will be granted the following roles:
| Role Type | Role | Description |
|---|---|---|
| Azure RBAC | VM Scanner Operator | Allows Sysdig access to disk snapshot for security analysis. |
Resources Created
The following resources will be created in your Azure Environment:
| Resource | Description |
|---|---|
azurerm_lighthouse_definition | Defines the Azure Lighthouse relationship |
azurerm_lighthouse_assignment | Assigns the Lighthouse definition to target subscriptions |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.