Fortanix Key Insight - Azure Connection Permissions

  • Published on May 21, 2025
  • 3 minute(s) read
Prev Next

1.0 Fortanix Key Insight - Azure Permissions Using Custom Roles

This section describes the read permissions required to onboard an Azure connection using custom roles in Fortanix Key Insight. It provides a detailed list of Role-Based Access Control (RBAC) permissions that must be granted to enable secure and successful integration with Azure resources.

1.1 Azure Permissions (Services) - Actions

This section describes the Azure Actions permissions required to integrate Azure services with Fortanix Key Insight.

Azure Service

Permission

Description

Azure Resource Manager (ARM)

Microsoft.Resources/subscriptions/read

Read access to subscription metadata.

Microsoft.Resources/subscriptions/resourceGroups/read

Read access to resource groups within a subscription.

Azure Key Vault

Microsoft.KeyVault/vaults/read

Read metadata about Key Vault instances.

Microsoft.KeyVault/vaults/keys/versions/read

Read all versions of a key in Key Vault.

Microsoft.KeyVault/deletedVaults/read

Read information about soft-deleted Key Vaults.

Azure Storage

Microsoft.Storage/storageAccounts/read

Read metadata about Azure storage accounts.

Microsoft.Storage/storageAccounts/blobServices/containers/read

Read metadata about blob containers.

Microsoft.Storage/storageAccounts/encryptionScopes/read

Read encryption scope configurations within storage accounts.

Azure SQL

Microsoft.Sql/servers/read

Read SQL Server metadata and configurations.

Microsoft.Sql/servers/encryptionProtector/read

Read encryption protector settings for SQL servers.

Microsoft.Sql/servers/databases/read

Read metadata about SQL databases.

Microsoft.Sql/servers/databases/transparentDataEncryption/read

Read Transparent Data Encryption (TDE) settings for SQL databases.

Microsoft.Sql/managedInstances/read

Read the configuration details of SQL managed instances.

Microsoft.Sql/managedInstances/encryptionProtector/read

Read encryption protector settings for SQL managed instances.

Microsoft.Sql/managedInstances/databases/read

Read metadata about databases within SQL managed instances.

Azure Compute (Managed Disks)

Microsoft.Compute/disks/read

Read metadata about managed disks.

Microsoft.Compute/diskEncryptionSets/read

Read the configuration of disk encryption sets.

Azure IAM (RBAC)

Microsoft.Authorization/roleDefinitions/read

Read role definitions in RBAC (used for defining custom roles).

Microsoft.Authorization/roleAssignments/read

Read role assignments at various scopes.

Azure Container Instances

Microsoft.ContainerInstance/containerGroups/read

Read metadata about Azure Container Instance groups.

Azure Kubernetes Service (AKS)

Microsoft.ContainerService/managedClusters/read

Read information about managed Kubernetes clusters.

Azure Cosmos DB

Microsoft.DocumentDB/databaseAccounts/read

Read metadata about Cosmos DB accounts.

Microsoft.DocumentDB/mongoClusters/read

Read MongoDB cluster configurations hosted in Cosmos DB.

1.2 Azure Permissions (Services) - Data Actions

This section describes the Azure Data Actions permissions required to integrate Azure services with Fortanix Key Insight.

Azure Service

Permission

Description

Azure Key Vault

Microsoft.KeyVault/vaults/keys/read

Read Key Vault keys and their properties.

Microsoft.KeyVault/vaults/keyrotationpolicies/read

Read key rotation policies set on Key Vault keys.

Azure Storage

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Read data and properties of individual blobs in containers.

NOTE

You can grant permissions to Azure Key Vault using one of the following methods:

  • RBAC: Refer to the Azure Key Vault permissions outlined in Section 1.1: Azure Permissions (Services) – Actions and Section 1.2: Azure Permissions (Services) – Data Actions.

  • Access Policy: If your Azure Key Vault is managed using Access Policies, you must have the following key permissions to scan your Azure Key Vault keys during onboarding to Fortanix Key Insight:

    Key Operations

    Permission

    Description

    Key Management Operations

    get

    Retrieves the function of the Key Vault key.

    list

    Retrieves the list of Key Vault keys.

    Key Rotation Policy Operations

    getrotationpolicy

    Retrieves the rotation policy of a particular Key Vault key.

1.3 Azure Permissions (Others)

This section describes the additional Azure-level permissions required to support broader management tasks, including role assignments, IAM visibility, and resource scope operations.

Azure Category

Permission

Description

Azure IAM (RBAC)

Microsoft.Authorization/roleDefinitions/read

Read role definitions in RBAC (used for defining custom roles).

Microsoft.Authorization/roleAssignments/read

Read role assignments at various scopes.

Azure Management Groups

Microsoft.Management/managementGroups/read

Read metadata about Azure management groups.

2.0 Fortanix Key Insight - Azure Permissions Using Built-In Roles

This section lists the permissions required to onboard an Azure connection using built-in roles in Fortanix Key Insight.

You must provide access to the following built-in roles in your Azure service principal at the management group and subscription levels to help users scan the required Azure keys and services on Fortanix Key Insight:

  • Reader

  • Key Vault Reader

  • Storage Blob Data Reader

For more information on how to provide access to the following built-in roles and in your Azure service principal, refer to the Fortanix Key Insight - Azure Configuration for Scanning Using Built-In Roles.

NOTE

After access is granted to the built-in roles at either the management group or subscription level, all necessary permissions required for Fortanix Key Insight to scan Azure keys and services will be automatically provisioned.