Roles required by Prevasio to scan your Azure subscriptions

In order to scan your Azure subscriptions, Prevasio creates a service principle based on the multi-tenant application "Prevasio CSPM". In addition to that, it assigns certain roles to the selected target.

This page describes the roles assigned by Prevasio to the onboarding target.

Assigned Roles

During onboarding, Prevasio web application asks the user to specify an onboarding target. If the user onboards a single subscription, that subscription's ID will be the target.

If the user onboards multiple subscriptions, the selected target will be a management group or a root management group (Tenant root group).

Once the target is specified, Prevasio assigns the following roles to the selected onboarding target:

Role Definition ID	Role Definition Name	Prevasio Functionality
21090545-7ca7-4776-b22c-e363652d74d2	Log Analytics Reader	Prevasio requires   READ   access to view the configuration of Azure diagnostics on all Azure resources
7f951dda-4ed3-4680-a7ca-43fe172d538d	AcrPull	Prevasio requires   READ   access to pull and scan container images from the Azure container registry
21090545-7ca7-4776-b22c-e363652d74d2	Key Vault Reader	Prevasio requires   READ   access to read metadata of key vaults, certificates, keys, and secrets*
4abbcc35-e782-43d8-92c5-2d3f1bd2253f	Azure Kubernetes Service Cluster User Role	Prevasio requires READ/WRITE  access to perform KSPM scan on Kubernetes clusters
8311e382-0749-4cb8-b61a-304f252e45ec	AcrPush	Prevasio requires   WRITE   access to to set container image metadata property with name "canRead" to false (required to block pulling of the image as part of ACR CD Security)

By adding these roles to the selected target, Prevasio's multi-tenant application will get the permissions, required to perform a cloud security assessment of each subscription under the target.