Access & Permissions Required
Lucidity AutoScaler for Azure manages disk expansion and shrink operations on your virtual machines using a secure multi-tenant Azure AD Application. Lucidity hosts the AutoScaler application in its own Azure tenant. To allow Lucidity to operate in your environment, your Azure tenant must:
Create a Service Principal from Lucidity’s published application
Application ID: 4f2c2c1f-372a-4904-b13d-11e2467679f2
Assign RBAC permissions to this Service Principal — scoped to subscription managed by Lucidity.
In simple terms, the customer grants trust and permission to the application in Lucidity Tenant so that the Lucidity AutoScaler can perform necessary actions for AutoScaling disks. These permissions are required for:
Create, attach, detach, and delete Lucidity Managed Disks
Manage disk configuration and encryption integrations
Perform one-time agent installation via VM Run Command
All actions are fully auditable through Azure Activity Logs.
Who Can Perform Integration
The user performing Azure subscription onboarding must be:
Subscription Owner to create RBAC, and
User Entry ID Administrator with rights to create Service Principal
This elevated access is needed only once during setup. Ongoing AutoScaling actions do not require further administrative privileges.
Least-Privilege RBAC Role
A ‘Lucidity Custom Role’ is assigned to the Service Principal — tightly scoped. When using the Lucidity Dashboard with automated onboarding, the Service Principal + RBAC assignments are created and applied for you. Manual setup is available if automation is not feasible. To learn more about the need of individual permission visit: Azure Permission Overview
Below is the snippet of “actions” section of role create for AutoScaler only:
"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/reapply/action",
"Microsoft.Compute/virtualMachines/redeploy/action",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/runCommands/write",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Compute/images/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/locations/communityGalleries/images/read",
"Microsoft.Compute/locations/communityGalleries/images/versions/read",
"Microsoft.Compute/locations/sharedGalleries/images/read",
"Microsoft.Compute/locations/sharedGalleries/images/versions/read",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Insights/Metricnamespaces/Read",
"Microsoft.Insights/MetricDefinitions/Read",
"Microsoft.Insights/MetricBaselines/Read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Capacity/resourceProviders/locations/serviceLimits/read",
"Microsoft.CostManagement/*/read",
"Microsoft.ResourceGraph/resources/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
]Note
This would get permissions for AutoScaler only.