Lucidity Assessment
The Assessment tool retrieves VM metadata & disk level storage metrics, such as the number of VMs, attached managed disk details, and mount point details. It achieves this by utilizing either of the below native services in Azure:
Run command
Azure VMInsights and Log analytics workspace(LAW)
Azure Monitor through defining data collection rules(DCR)
The below list of permissions are necessary for the assessment tool to carry out operations such as enabling the Log Analytics/Azure Monitor and creating workspaces, as per Azure documentation. This allows the tool to collect storage metrics required. These permissions are only necessary during the metric collection process and are temporary. Once the metrics are collected, the Assessment tool removes any configurations introduced and does not retain them in the client's environment.
For the Lucidity assessment, we would need the following permissions.
Permission Name | Description | |
|---|---|---|
1 | Microsoft.RecoveryServices/vaults/replicationProtectedItems/read | To allow reading details of items protected under replication within a Recovery Services vaults. |
2 | Microsoft.Authorization/locks/read | The assessment app requires these permissions to detect and skip locked resource groups. |
3 | Microsoft.Authorization/roleAssignments/read | To identify which roles are assigned to which entities within the current scope. |
4 | Microsoft.Authorization/roleDefinitions/read | To read the role definitions of the above mentioned role assignments. |
5 | Microsoft.Compute/disks/read | To access details about managed disks like size, disk tier etc. |
6 | Microsoft.Compute/virtualMachineScaleSets/read | To access VMSS details and metadata. |
7 | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read | To access details about the VMs that are part of VMSS. |
8 | Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action | To run commands to get disk utilization of VMs within VMSS. |
9 | Microsoft.Compute/virtualMachines/extensions/delete | During the assessment, the assessment application may add extensions (Azure Monitor agent and Log Analytics agent). If added by the assessment app, this permission is required to remove the extensions during the cleanup process, ensuring the system configuration remains consistent |
10 | Microsoft.Compute/virtualMachines/extensions/read | The assessment app checks if the Azure Monitor agent and Log Analytics agent extensions are already attached to Azure VMs |
11 | Microsoft.Compute/virtualMachines/extensions/write | The assessment app adds Azure Monitor agent and Log Analytics agent extensions to Azure VMs, if they do not exist. |
12 | Microsoft.Compute/virtualMachines/instanceView/read | To access the instance state (STOPPED, RUNNING etc) |
13 | Microsoft.Compute/virtualMachines/read | To get VM metadata (VM size, type, configuration, IDs etc.) |
14 | Microsoft.Compute/virtualMachines/runCommand/action | To perform Azure Run command to get disk utilization of VMs. This is an alternative incase the Log Analytics couldn't fetch utilization% |
15 | Microsoft.Compute/virtualMachines/write | To deploy VMInsights within the VM, we need write permission on the instance |
16 | Microsoft.CostManagement/query/read | To access managed disks' usage using Azure cost management service. |
17 | Microsoft.Insights/DataCollectionRuleAssociations/Delete | During the assessment, the assessment application may create DCR associations. After the assessment is complete, this permission is required to remove the associations during the cleanup process, ensuring the system configuration remains consistent |
18 | Microsoft.Insights/DataCollectionRuleAssociations/Read | To analyze current DCR associations in the scope and assess if they provide access to utilization %. |
19 | Microsoft.Insights/DataCollectionRuleAssociations/Write | To associate a DCR with specific Azure Monitor extensions, enabling the collection of data from Azure Monitor. |
20 | Microsoft.Insights/DataCollectionRules/Delete | During the assessment, the assessment application may create DCRs. After the assessment is complete, this permission is required to remove the DCRs during the cleanup process, ensuring the system configuration remains consistent |
21 | Microsoft.Insights/DataCollectionRules/Read | To retrieve the current data collection rules within the specified scope and determine if an existing rule collects utilization %. |
22 | Microsoft.Insights/DataCollectionRules/Write | If Azure Monitor is used to collect metrics, a DCR must be defined to gather disk utilization data, as required by Azure. |
23 | Microsoft.Insights/Logs/Read | To read utilization metrics logged by Log Analytics and Azure Monitor extensions from the VM. |
24 | Microsoft.RecoveryServices/vaults/read | To allow reading properties and configurations of Recovery Services vaults. |
25 | Microsoft.Insights/MetricDefinitions/Read | To read metric definitions from Azure monitor workspace. |
26 | Microsoft.Insights/Metricnamespaces/Read | To read metric namespaces in Azure monitor and access relevant metric definitions. |
27 | Microsoft.Insights/Metrics/Read | To read performance metrics (CPU, memory usage, disk I/O, etc.). |
28 | Microsoft.ManagedIdentity/userAssignedIdentities/assign/action | The Azure monitoring or Log Analytics Workspace (LAW) extensions connect to the logging service using this permission. |
29 | Microsoft.OperationalInsights/workspaces/delete | During the assessment, the assessment application creates a Log analytics workspace. After the assessment is complete, this permission is required to remove the workspace during the cleanup process, ensuring the system configuration remains consistent |
30 | Microsoft.OperationalInsights/workspaces/query/InsightsMetrics/read | To access the metrics collected by VM Insights that are sent to Log Analytics Workspaces. |
31 | Microsoft.OperationalInsights/workspaces/query/read | To query the Log analytics workspace and retrieve the necessary data for performing an assessment. |
32 | Microsoft.OperationalInsights/workspaces/read | To get details about the Log analytics workspaces and see if an existing LAW can be utilised. |
33 | Microsoft.OperationalInsights/workspaces/sharedKeys/action | For VM extensions to send logs to a Log Analytics Workspace, Azure requires the use of a shared key for validation. |
34 | Microsoft.OperationalInsights/workspaces/write | To create a log analytics workspace to retrieve disk utilization data from VMInsights. |
35 | Microsoft.OperationsManagement/managementAssociations/read | To understand the current management associations and see if an existing association can be utilised. |
36 | Microsoft.OperationsManagement/managementAssociations/write | To ensure logs are sent from all resources, an association between Azure resources and the LAW needs to be created. |
37 | Microsoft.OperationsManagement/managementAssociations/delete | During the assessment, the assessment application may establish associations between the VM and the newly created workspace, allowing the VM to send data to the workspace via Log Analytics. After the assessment is complete, this permission is required to remove the associations during the cleanup process, ensuring the system configuration remains consistent |
38 | Microsoft.OperationsManagement/managementConfigurations/read | To read the details of existing management configurations applied to resources. |
39 | Microsoft.OperationsManagement/managementConfigurations/write | To create management configurations to access Azure VM Insights. |
40 | Microsoft.OperationsManagement/managementConfigurations/delete | During the assessment, the assessment application setups a VM within a new workspace ID to configure where data should be sent. During the assessment, the VM will send data to this workspace. After the assessment is complete, this permission is required to to roll back configurations for the VM within the workspace during the cleanup process, ensuring the system configuration remains consistent |
41 | Microsoft.OperationsManagement/register/action | To register the operations management service required to initialize Azure Monitor or Log Analytics to start managing resources. |
42 | Microsoft.OperationsManagement/solutions/read | To access the details of existing operation solutions in place so that the assessment application can scope out the additional monitoring solutions it needs to implement.
|
43 | Microsoft.OperationsManagement/solutions/write | To configure any monitoring service like LAW or DCR, an operations management service needs to be created. |
44 | Microsoft.OperationsManagement/solutions/delete | During the assessment, the assessment application creates LAW/DCR services. Once the assessment is complete, these are removed to roll back the changes and maintain configuration consistency. |
45 | Microsoft.Resources/deployments/operations/read | To check current deployment operations triggered by the assessment app. |
46 | Microsoft.Resources/deployments/operationstatuses/read | To check the operational status of deployments created by the assessment app, for example, the creation of LAW, DCR, VM Insights etc. Note this permission only allows the assessment application to know the status of the operations and operations status such as “Succeeded” is fetched to confirm operations are proceeding smoothly |
47 | Microsoft.Resources/deployments/read | To read current deployments (For example, LAW, DCR or enabling VM Insights created by the assessment app on the resource group). |
48 | Microsoft.Resources/deployments/write | To create a deployment (For example, LAW, DCR or enabling VM Insights) on a resource group. |
49 | Microsoft.Resources/deployments/delete | During the assessment, the assessment application creates deployments for tasks such as LAW/DCR creation and enabling VM Insights. Once the assessment is complete, this permission is required to remove the deployments as part of the cleanup process |
50 | Microsoft.Resources/subscriptions/resourceGroups/read | To get the list of the resource groups present. |
51 | Microsoft.ContainerService/managedClusters/read | To allow reading details of existing managed Kubernetes clusters. |
52 | Microsoft.ContainerService/managedClusters/agentPools/machines/read | To allow reading details of the individual nodes/machines in agent pools within a managed Kubernetes cluster. |