Azure Connection Permissions

1.0 Permissions Using Custom Roles

This section describes the read permissions required to onboard an Azure connection using custom roles in Fortanix Key Insight. It provides a detailed list of Role-Based Access Control (RBAC) permissions that must be granted to enable secure and successful integration with Azure resources.

NOTE
Fortanix Key Insight does not access customer data. The permissions listed in this article are required only to retrieve cryptographic metadata and enforce security policies.

1.1 Azure Permissions (Services) - Actions

This section describes the Azure Actions permissions required to integrate Azure services with Fortanix Key Insight.

Azure Service	Permission	Description
Azure Resource Manager (ARM)	`Microsoft.Resources/subscriptions/read`	Read access to subscription metadata.
Azure Resource Manager (ARM)	`Microsoft.Resources/subscriptions/resourceGroups/read`	Read access to resource groups within a subscription.
Azure Key Vault	`Microsoft.KeyVault/vaults/read`	Read metadata about Key Vault instances.
	`Microsoft.KeyVault/vaults/keys/versions/read`	Read all versions of a key in Key Vault.
	`Microsoft.KeyVault/deletedVaults/read`	Read metadata about soft-deleted Key Vaults.
Azure Storage	`Microsoft.Storage/storageAccounts/read`	Read metadata about Azure storage accounts.
	`Microsoft.Storage/storageAccounts/blobServices/containers/read`	Read metadata about blob containers.
	`Microsoft.Storage/storageAccounts/encryptionScopes/read`	Read encryption scope configurations within storage accounts.
Azure SQL	`Microsoft.Sql/servers/read`	Read SQL Server metadata and configurations.
	`Microsoft.Sql/servers/encryptionProtector/read`	Read encryption protector settings for SQL servers.
	`Microsoft.Sql/servers/databases/read`	Read metadata about SQL databases.
	`Microsoft.Sql/servers/databases/transparentDataEncryption/read`	Read Transparent Data Encryption (TDE) settings for SQL databases.
	`Microsoft.Sql/managedInstances/read`	Read the configuration details of SQL managed instances.
	`Microsoft.Sql/managedInstances/encryptionProtector/read`	Read encryption protector settings for SQL managed instances.
	`Microsoft.Sql/managedInstances/databases/read`	Read metadata about databases within SQL managed instances.
Azure Compute (Managed Disks)	`Microsoft.Compute/disks/read`	Read metadata about managed disks.
Azure Compute (Managed Disks)	`Microsoft.Compute/diskEncryptionSets/read`	Read the configuration of disk encryption sets.
Azure Container Instances	`Microsoft.ContainerInstance/containerGroups/read`	Read metadata about Azure Container Instance groups.
Azure Kubernetes Service (AKS)	`Microsoft.ContainerService/managedClusters/read`	Read metadata about managed Kubernetes clusters.
Azure Cosmos DB	`Microsoft.DocumentDB/databaseAccounts/read`	Read metadata about Cosmos DB accounts.
Azure Cosmos DB	`Microsoft.DocumentDB/mongoClusters/read`	Read MongoDB cluster configurations hosted in Cosmos DB.

1.2 Azure Permissions (Services) - Data Actions

This section describes the Azure Data Actions permissions required to integrate Azure services with Fortanix Key Insight.

Azure Service	Permission	Description
Azure Key Vault	`Microsoft.KeyVault/vaults/keys/read`	Read Key Vault keys and their properties.
Azure Key Vault	`Microsoft.KeyVault/vaults/keyrotationpolicies/read`	Read key rotation policies set on Key Vault keys.
Azure Storage	`Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`	Read metadata and encryption-related properties of blobs within containers.

NOTE
You can grant permissions to Azure Key Vault using one of the following methods:
RBAC: Refer to the Azure Key Vault permissions outlined in Section 1.1: Azure Permissions (Services) – Actions and Section 1.2: Azure Permissions (Services) – Data Actions.
Access Policy: If your Azure Key Vault is managed using Access Policies, you must have the following key permissions to scan your Azure Key Vault keys during onboarding to Fortanix Key Insight:
Key Operations
Permission
Description
Key Management Operations
get
Retrieves the properties of a Key Vault key.
list
Retrieves the list of Key Vault keys.
Key Rotation Policy Operations
getrotationpolicy
Retrieves the rotation policy of a particular Key Vault key.

Key Operations	Permission	Description
Key Management Operations	`get`	Retrieves the properties of a Key Vault key.
`list`	Retrieves the list of Key Vault keys.
Key Rotation Policy Operations	`getrotationpolicy`	Retrieves the rotation policy of a particular Key Vault key.

1.3 Additional Azure Permissions

This section describes the additional Azure-level permissions required to support broader management tasks, including role assignments, IAM visibility, and resource scope operations.

Azure Category	Permission	Description
Azure IAM (RBAC)	`Microsoft.Authorization/roleDefinitions/read`	Read role definitions in RBAC (used for defining custom roles).
Azure IAM (RBAC)	`Microsoft.Authorization/roleAssignments/read`	Read role assignments at various scopes.
Azure Management Groups	`Microsoft.Management/managementGroups/read`	Read metadata about Azure management groups.

2.0 Permissions Using Built-In Roles

This section lists the permissions required to onboard an Azure connection using built-in roles in Fortanix Key Insight.

Assign the following built-in roles to the Azure service principal at the management group or subscription level to allow Fortanix Key Insight to scan Azure keys and services:

Reader
Key Vault Reader
Storage Blob Data Reader

For more information on how to provide access to the following built-in roles and in your Azure service principal, refer to the Azure Connection Scanning Configuration Using Built-In Roles.

NOTE
After access is granted to the built-in roles at either the management group or subscription level, all required permissions for Fortanix Key Insight to scan Azure keys and services are automatically included.