Create a principal and assign role to the application
To enable access rights to the subscription, assign a combination of the Reader role and a custom Azure Storage read-only RBAC role to the application.
To create a combination of Reader and RBAC role for access:
- Create a Principal for the application:
New-AzureRmADServicePrincipal -ApplicationId <APPLICATIONID>
- Assign a Reader role ot the application. This role is required for Azure Resource Manager (ARM) discovery.
New-AzureRmRoleAssignment ` -RoleDefinitionName Reader ` -ServicePrincipalName <APPLICATIONID> ` -Scope "/subscriptions/<SubscriptionID>"
- Create a
.jsonfile template with the required permissions. The permissions set in this template ensure read-only access to Azure Storage services using RBAC. Storage Account keys are no used.{ "Name": "<Role-Name>", "Id": null, "IsCustom": true, "Description": "<Role Description>", "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read" ], "NotActions": [], "DataActions": [ "Microsoft.Storage/*/read" ], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/<Subscription ID>" ] } - Create a custom role with
.jsonfile template .New-AzRoleDefinition -InputFile "C:\CustomRoles\customrole.json"
- Assign the custom role to the application.
New-AzureRmRoleAssignment ` -RoleDefinitionName <customRoleName> ` -ServicePrincipalName <APPLICATIONID> ` -Scope "/subscriptions/<SubscriptionID>"
- Add below advance parameter in IT Analytics.
Parameter name: AZURE_STORAGE_AUTH_MODE
Parameter value: RBAC