Reference: Azure Permissions

The service principal that you set up in Azure specifies the permissions that Turbonomic needs to discover and monitor your Azure workloads. Permissions to execute actions from Turbonomic are optional.

Minimum Permissions - Workload Monitoring

The following minimum permissions are required to monitor Azure workloads.

Turbonomic Functionality	Required Permissions
Role validation	`Microsoft.Authorization/roleAssignments/read` Validates the role assigned to the Service Principal by checking if it has the minimum required permissions `Microsoft.Authorization/roleDefinitions/read` Queries the permissions list from the assigned custom role
Discovery of subscriptions	`Microsoft.Resources/subscriptions/read` Gets a list of accessible subscriptions for a tenant
Discovery of resource groups, locations, and SKUs	`Microsoft.Resources/subscriptions/locations/read` List all locations available for the subscriptions `Microsoft.Resources/subscriptions/resourceGroups/read` Discovers all resource groups for the subscriptions `Microsoft.Compute/skus/read` Gets a list of `Microsoft.Compute` SKUs available for your subscription
Discovery of storage accounts	`Microsoft.Storage/storageAccounts/read` Gets a list of storage accounts or gets the properties of a specific storage account
Discovery of metrics for various entities	`Microsoft.Insights/Metrics/Read` Reads metrics for various resources from Azure Monitor `Microsoft.OperationalInsights/workspaces/read` Queries a list of Log Analytics workspaces. Certain metrics (such as VM memory) are fetched from these workspaces. `Microsoft.OperationalInsights/workspaces/query/read` Allows queries to data (such as metrics) stored in Log Analytics workspaces `Microsoft.OperationalInsights/workspaces/query/InsightsMetrics/read` Queries the `InsightsMetrics` Log Analytics table for VM memory metrics. Azure Monitor Agent must be configured to send memory metrics to the table. `Microsoft.OperationalInsights/workspaces/query/Perf/read` (Only required if the `Perf` Log Analytics table is configured for VM memory metrics, instead of the `InsightsMetrics` Log Analytics table) Queries the `Perf` Log Analytics table for VM memory metrics
Discovery of VMs	`Microsoft.Compute/virtualMachines/instanceView/read` Gets the detailed runtime status of a VM and its resources `Microsoft.Compute/virtualMachines/read` Gets the properties of a VM `Microsoft.Compute/virtualMachines/extensions/read` (Only required if using storage account for VM memory configuration) Gets the properties of a VM extension, to detect diagnostics extension before fetching memory metrics from storage account
Discovery of VM scale sets and availability sets	`Microsoft.Compute/virtualMachineScaleSets/read` Gets the properties of a VM scale set `Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read` Lists all the network interfaces of a VM scale set and gets their properties `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read` Retrieves the instance view of a VM in a scale set `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read` Retrieves the properties of a VM in a scale set `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read` (Only required if VM memory is configured onto a storage account table via a diagnostics agent extension) Gets the properties of an extension for a VM in a scale set `Microsoft.Compute/availabilitySets/read` Lists all availability sets and gets their properties `Microsoft.Compute/availabilitySets/vmSizes/read` Lists available sizes for creating or updating a VM in an availability set
Discovery of reservations	`Microsoft.Capacity/reservationorders/reservations/read` Monitors reservations data and reads all reservations `Microsoft.Capacity/catalogs/read` Reads the catalog of reservations
Discovery of volumes	`Microsoft.Compute/disks/read` Gets the properties of volumes `Microsoft.Storage/storageAccounts/listkeys/action` (Only required if there are unmanaged disks that are attached to VMs) Discovers or queries unmanaged attached disks (volumes) in the storage account. Unmanaged disks that are not attached to VMs are not discovered.
Discovery of SQL databases (vCore/ DTU) and metrics	`Microsoft.Sql/servers/read` Lists all SQL servers in this subscription and gets their details `Microsoft.Sql/servers/databases/read` Lists and gets details about all SQL databases for all SQL servers in the subscription `Microsoft.Sql/servers/databases/metrics/read` Queries metrics for SQL databases
Discovery of resources used in Azure Synapse Analytics	`Microsoft.Synapse/SKUs/read` Reads SKU details for a Synapse Analytics Service resource, such as SQL pools Note: This permission is not required for Azure Government. `Microsoft.Synapse/workspaces/read` Reads details about Synapse workspaces `Microsoft.Synapse/workspaces/keys/read` Gets details of Synapse workspace key definitions `Microsoft.Synapse/workspaces/sqlDatabases/read` Reads a list of Synapse SQL Analytics databases `Microsoft.Synapse/workspaces/sqlPools/read` Reads a list of Synapse SQL Analytics pools `Microsoft.Synapse/workspaces/sqlPools/dataWarehouseUserActivities/read` Reads user activities on Synapse SQL Analytics pools `Microsoft.Synapse/workspaces/sqlPools/extensions/read` Gets extensions for Synapse SQL Analytics pools `Microsoft.Synapse/workspaces/sqlPools/operationStatuses/read` Reads the results of asynchronous operations on Synapse SQL Analytics pools `Microsoft.Synapse/workspaces/sqlPools/usages/read` Reads usage metrics for Synapse SQL Analytics pools `Microsoft.Synapse/workspaces/sqlUsages/read` Gets usage limits available for Synapse SQL Analytics pools
Discovery of App Services (plans/app instances) and metrics	`Microsoft.Relay/namespaces/HybridConnections/read` Lists all Service Bus Hybrid Connections used by web apps `Microsoft.Web/geoRegions/Read` Gets a list of available geographical regions for App Services `Microsoft.Web/serverfarms/Read` Lists and gets the properties of App Service plans `Microsoft.Web/serverfarms/sites/read` Gets a list of web apps that are part of App Service plans `Microsoft.Web/serverfarms/skus/read` Gets SKUs for App Service plans `Microsoft.Web/sites/read` Gets the properties of web apps that are part of App Service plans `Microsoft.Web/sites/slots/Read` Gets the properties of a web app deployment slot `Microsoft.Web/serverfarms/metrics/read` Queries metrics for App Services plans `Microsoft.Web/serverfarms/usages/read` Gets usage information for App Service plans `Microsoft.Web/sites/metrics/read` Gets metrics for web apps that are part of App Service plans `Microsoft.Web/sites/usages/read` Gets usage information for web apps that are part of App Service plans
Discovery of Cosmos DB resources	`Microsoft.DocumentDB/databaseAccounts/read` Gets the properties of a database account `Microsoft.DocumentDB/databaseAccounts/databases/metrics/read` Queries metrics for a database account `Microsoft.DocumentDB/databaseAccounts/databases/collections/metrics/read` Queries metrics for a container `Microsoft.DocumentDB/databaseAccounts/metrics/read` Queries metrics for a database `Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/read` Gets the properties of an Apache Cassandra keyspace `Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/read` Gets the throughput of an Apache Cassandra keyspace `Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/read` Gets the properties of an Apache Cassandra table `Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/read` Gets the throughput of an Apache Cassandra table `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read` Gets the properties of a MongoDB database `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/read` Gets the throughput of a MongoDB database `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read` Gets the properties of a MongoDB collection `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/read` Gets the throughput of a MongoDB collection `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/read` Gets the properties of an Apache Gremlin database `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/read` Gets the throughput of an Apache Gremlin database `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/read` Gets the properties of an Apache Gremlin graph `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/read` Gets the throughput of an Apache Gremlin graph `Microsoft.DocumentDB/databaseAccounts/tables/read` Gets the properties of an Azure table `Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/read` Gets the throughput of an Azure table `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read` Gets the properties of a NoSQL account database `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/read` Gets the throughput of a NoSQL account database `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read` Get the properties of a NoSQL account container `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/read` Gets the throughput of a NoSQL account container `Microsoft.DocumentDB/databaseAccounts/usages/read` Gets the storage usage for a database account
Discovery of clusters managed by Azure Kubernetes Service (AKS)	`Microsoft.ContainerService/managedClusters/read` Discovers and lists managed container platform clusters `Microsoft.ContainerService/managedClusters/agentPools/read` Discovers agent pools on managed container platform clusters
Discovery of desktop virtualization (VDI)	`Microsoft.DesktopVirtualization/hostpools/read` Discovers Azure Desktop Virtualization host pools `Microsoft.DesktopVirtualization/hostpools/sessionhosts/read` Discovers session hosts in Azure Desktop Virtualization host pools
Discovery of network resources	`Microsoft.Network/networkInterfaces/read` Lists and gets details about network interfaces for resources `Microsoft.Network/publicIPAddresses/read` Lists and gets details about public IP addresses for resources
Discovery of pricing information	`Microsoft.Commerce/RateCard/read` Discovers pricing information from the pay-as-you-go rate card; also returns offer data, resource/meter metadata, and rates for the given subscription `Microsoft.Consumption/pricesheets/read` Discovers pricing information from an Enterprise Agreement price sheet, and lists the price sheets data for a subscription or a management group

Minimum Permissions - Action Execution

The following permissions are required only if you want to execute actions for Azure workloads from Turbonomic.

Turbonomic Functionality	Required Permissions
Discovery of locks that could prevent action execution	`Microsoft.Authorization/locks/read` Lists all locks for a subscription, and creates action prerequisites that may prevent action execution if locks prevent write operations
Execution of actions for VMs	`Microsoft.Compute/virtualMachines/deallocate/action` Stops a VM to execute a disruptive action; powers off the VM and releases the allocated compute resources `Microsoft.Compute/virtualMachines/powerOff/action` Suspends a VM by powering it off. The VM will continue to be billed while suspended. `Microsoft.Compute/virtualMachines/start/action` Restarts a VM that was stopped to execute a disruptive action `Microsoft.Compute/virtualMachines/vmSizes/read` Lists available sizes that a VM can update to `Microsoft.Compute/virtualMachines/write` Updates a VM (for example, its size) as part of executing scale actions `Microsoft.Network/networkInterfaces/join/action` Allows a VM or VM scale set to rejoin its network after a scale action executes, by attaching the network interface to the VM `Microsoft.KeyVault/vaults/deploy/action` (Only required if a VM to be scaled is using Azure Key Vault) Enables access to secrets in a key vault when deploying Azure resources to the VM Azure Compute Gallery images (Only required during VM scaling execution if VM images are located in a separate Azure Compute Gallery image, such as in a different subscription) `Microsoft.Compute/galleries/images/read` Gets the properties of Azure Compute Gallery images `Microsoft.Compute/galleries/images/versions/read` Gets the versions for Azure Compute Gallery images `Microsoft.Compute/galleries/read` Gets Azure Compute Gallery images `Microsoft.Compute/images/read` Gets the properties of the image
Execution of actions for VM scale sets and availability sets	`Microsoft.Compute/virtualMachineScaleSets/deallocate/action` Stops a VM scale set to execute a disruptive action; powers off and releases the compute resources of the instances used by the VM scale set `Microsoft.Compute/virtualMachineScaleSets/start/action` Restarts the VMs that were stopped to execute a disruptive action on VM scale set `Microsoft.Compute/virtualMachineScaleSets/vmSizes/read` Lists available sizes for creating or updating a VM in a scale set `Microsoft.Compute/virtualMachineScaleSets/write` Updates a VM scale set (for example, its size) as part of executing scale actions for VM scale sets `Microsoft.Insights/AutoscaleSettings/Write` Updates an `autoscale` setting as part of scale action execution
Execution of actions for Azure Kubernetes Service (AKS) nodes (VMs)	`Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action` Lists the `clusterAdmin` credentials of a managed cluster `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete` Deletes a specific VM in a VM scale set `Microsoft.Compute/virtualMachines/delete` Deletes a specific VM `Microsoft.ContainerService/managedClusters/write` Creates a new managed cluster or updates an existing one `Microsoft.ContainerService/managedClusters/agentPools/write` Creates or updates an agent pool in the specified managed cluster `Microsoft.OperationalInsights/workspaces/sharedkeys/read` Gets the shared keys for the Log Analytics workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. `Microsoft.OperationsManagement/solutions/write` Create a new OMS solution `Microsoft.OperationsManagement/solutions/read` Gets an exiting OMS solution
Execution of actions for volumes	`Microsoft.Compute/disks/write` Resizes or changes the storage tier of volumes Executes scale actions for volumes and re-attaches volumes to VMs after scaling `Microsoft.Compute/disks/delete` Deletes unattached volumes for managed disks `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` Deletes unmanaged disks that became unattached after the deletion of unattached volumes `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` Checks if a page blob exists before deleting unmanaged disks that became unattached, and returns the properties of an existing page blob `Microsoft.Storage/storageAccounts/blobServices/containers/read` Lists blob containers Finds containers hosting unmanaged disks that became unattached and are to be deleted Recovery Services Vault (Only required if volumes are used for disaster recovery) Prevents the deletion of volumes used for disaster recovery, even if they become unattached `Microsoft.RecoveryServices/Vaults/read` Gets a list of Recovery Services Vaults containing replicated disks `Microsoft.RecoveryServices/vaults/replicationProtectedItems/read` Reads the Disk IDs of any protected items in the vaults
Execution of actions for SQL databases (vCore and DTU)	`Microsoft.Sql/servers/databases/write` Executes scale actions for DTU and vCore databases, and updates database properties `Microsoft.Sql/servers/databases/pause/action` Pauses a database as part of executing a scale or suspend action `Microsoft.Sql/servers/databases/resume/action` Resumes a paused database as part of executing a scale or suspend action
Execution of actions for dedicated SQL pools for Azure Synapse Analytics	`Microsoft.Synapse/workspaces/sqlPools/pause/action` Suspends or stops a Synapse SQL Analytics pool `Microsoft.Synapse/workspaces/sqlPools/resume/action` Resumes a suspended or stopped Synapse SQL Analytics pool
Execution of actions for App Services (plans)	`Microsoft.Web/serverfarms/Delete` Deletes an empty App Service plan (one that is not hosting any running apps) `Microsoft.Web/serverfarms/Write` Updates an App Service plan as part of a scale action
Execution of actions for Cosmos DB databases and document collections	`Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/delete` Deletes an Apache Cassandra keyspace `Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/write` Updates the throughput of an Apache Cassandra keyspace `Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/write` Updates the throughput of an Apache Cassandra table `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/write` Updates the throughput of a MongoDB collection `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/delete` Deletes a MongoDB database `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/write` Updates the throughput of a MongoDB database `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/delete` Deletes an Apache Gremlin database `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/write` Updates the throughput of an Apache Gremlin database `Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/write` Updates the throughput of an Apache Gremlin graph `Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/write` Updates the throughput of an Azure table `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/delete` Deletes a NoSQL account database `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/write` Updates the throughput of a NoSQL account database `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/write` Updates the throughput of NoSQL account container

Sample JSON - Minimum Permissions for Workload Monitoring

In Azure, you can create a custom role that specifies the permissions that Turbonomic needs to monitor workloads in your subscriptions.

When you create the role, you have the option of uploading a JSON file that specifies the permissions and settings for the role. You can copy the content in this section to the JSON file.

{
    "properties": {
        "roleName": "<RoleName>",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<Subscription_ID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.Authorization/roleDefinitions/read",
                    "Microsoft.Capacity/catalogs/read",
                    "Microsoft.Capacity/reservationorders/reservations/read",
                    "Microsoft.Commerce/RateCard/read",
                    "Microsoft.Compute/availabilitySets/read",
                    "Microsoft.Compute/availabilitySets/vmSizes/read",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/skus/read",
                    "Microsoft.Compute/virtualMachines/extensions/read",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
                    "Microsoft.Compute/virtualMachineScaleSets/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
                    "Microsoft.Consumption/pricesheets/read",
                    "Microsoft.ContainerService/managedClusters/agentPools/read",
                    "Microsoft.ContainerService/managedClusters/read",
                    "Microsoft.DesktopVirtualization/hostpools/read",
                    "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/read",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/read",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/databases/collections/metrics/read",
                    "Microsoft.DocumentDB/databaseAccounts/databases/metrics/read",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/read",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/read",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/metrics/read",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/tables/read",
                    "Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/usages/read",
                    "Microsoft.Insights/Metrics/Read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.OperationalInsights/workspaces/query/InsightsMetrics/read",
                    "Microsoft.OperationalInsights/workspaces/query/Perf/read",
                    "Microsoft.OperationalInsights/workspaces/query/read",
                    "Microsoft.OperationalInsights/workspaces/read",
                    "Microsoft.Relay/namespaces/HybridConnections/read",
                    "Microsoft.Resources/subscriptions/locations/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Sql/servers/databases/metrics/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Storage/storageAccounts/listkeys/action",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Synapse/SKUs/read",
                    "Microsoft.Synapse/workspaces/keys/read",
                    "Microsoft.Synapse/workspaces/read",
                    "Microsoft.Synapse/workspaces/sqlDatabases/read",
                    "Microsoft.Synapse/workspaces/sqlPools/dataWarehouseUserActivities/read",
                    "Microsoft.Synapse/workspaces/sqlPools/extensions/read",
                    "Microsoft.Synapse/workspaces/sqlPools/operationStatuses/read",
                    "Microsoft.Synapse/workspaces/sqlPools/read",
                    "Microsoft.Synapse/workspaces/sqlPools/usages/read",
                    "Microsoft.Synapse/workspaces/sqlUsages/read",
                    "Microsoft.Web/geoRegions/Read",
                    "Microsoft.Web/serverfarms/metrics/read",
                    "Microsoft.Web/serverfarms/Read",
                    "Microsoft.Web/serverfarms/sites/read",
                    "Microsoft.Web/serverfarms/skus/read",
                    "Microsoft.Web/serverfarms/usages/read",
                    "Microsoft.Web/sites/metrics/read",
                    "Microsoft.Web/sites/read",
                    "Microsoft.Web/sites/slots/Read",
                    "Microsoft.Web/sites/usages/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Note:

Be sure to update the following information in the JSON file:

<RoleName> – Specify your preferred name for the custom role.
<Subscription_ID> – Specify the ID of the subscription that Turbonomic will manage.

Sample JSON - Minimum Permissions for Workload Monitoring and Action Execution

In Azure, you can create a custom role that specifies the permissions that Turbonomic needs to monitor workloads in your subscriptions and execute actions for these workloads.

When you create the role, you have the option of uploading a JSON file that specifies the permissions and settings for the role. You can copy the content in this section to the JSON file.

{
    "properties": {
        "roleName": "<RoleName>",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<Subscription_ID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/locks/read",
                    "Microsoft.Authorization/roleAssignments/read",
                    "Microsoft.Authorization/roleDefinitions/read",
                    "Microsoft.Capacity/catalogs/read",
                    "Microsoft.Capacity/reservationorders/reservations/read",
                    "Microsoft.Commerce/RateCard/read",
                    "Microsoft.Compute/availabilitySets/read",
                    "Microsoft.Compute/availabilitySets/vmSizes/read",
                    "Microsoft.Compute/disks/delete",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/disks/write",
                    "Microsoft.Compute/galleries/images/read",
                    "Microsoft.Compute/galleries/images/versions/read",
                    "Microsoft.Compute/galleries/read",
                    "Microsoft.Compute/images/read",
                    "Microsoft.Compute/skus/read",
                    "Microsoft.Compute/virtualMachineScaleSets/deallocate/action",
                    "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
                    "Microsoft.Compute/virtualMachineScaleSets/read",
                    "Microsoft.Compute/virtualMachineScaleSets/start/action",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
                    "Microsoft.Compute/virtualMachineScaleSets/vmSizes/read",
                    "Microsoft.Compute/virtualMachineScaleSets/write",
                    "Microsoft.Compute/virtualMachines/deallocate/action",
                    "Microsoft.Compute/virtualMachines/delete",
                    "Microsoft.Compute/virtualMachines/extensions/read",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.Compute/virtualMachines/powerOff/action",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachines/start/action",
                    "Microsoft.Compute/virtualMachines/vmSizes/read",
                    "Microsoft.Compute/virtualMachines/write",
                    "Microsoft.Consumption/pricesheets/read",
                    "Microsoft.ContainerService/managedClusters/agentPools/read",
                    "Microsoft.ContainerService/managedClusters/agentPools/write",
                    "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
                    "Microsoft.ContainerService/managedClusters/read",
                    "Microsoft.ContainerService/managedClusters/write",
                    "Microsoft.DesktopVirtualization/hostpools/read",
                    "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/delete",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/read",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/read",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/write",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/write",
                    "Microsoft.DocumentDB/databaseAccounts/databases/collections/metrics/read",
                    "Microsoft.DocumentDB/databaseAccounts/databases/metrics/read",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/delete",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/read",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/write",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/read",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/write",
                    "Microsoft.DocumentDB/databaseAccounts/metrics/read",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/write",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/delete",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/write",
                    "Microsoft.DocumentDB/databaseAccounts/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/write",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/delete",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/write",
                    "Microsoft.DocumentDB/databaseAccounts/tables/read",
                    "Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/read",
                    "Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/write",
                    "Microsoft.DocumentDB/databaseAccounts/usages/read",
                    "Microsoft.Insights/AutoscaleSettings/Write",
                    "Microsoft.Insights/Metrics/Read",
                    "Microsoft.KeyVault/vaults/deploy/action",
                    "Microsoft.Migrate/migrateprojects/read",
                    "Microsoft.Migrate/migrateprojects/solutions/getconfig/action",
                    "Microsoft.Migrate/migrateprojects/solutions/read",
                    "Microsoft.Network/networkInterfaces/join/action",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.OperationalInsights/workspaces/query/InsightsMetrics/read",
                    "Microsoft.OperationalInsights/workspaces/query/Perf/read",
                    "Microsoft.OperationalInsights/workspaces/query/read",
                    "Microsoft.OperationalInsights/workspaces/read",
                    "Microsoft.OperationalInsights/workspaces/sharedkeys/read",
                    "Microsoft.OperationsManagement/solutions/read",
                    "Microsoft.OperationsManagement/solutions/write",
                    "Microsoft.RecoveryServices/Vaults/read",
                    "Microsoft.RecoveryServices/vaults/replicationProtectedItems/read",
                    "Microsoft.Relay/namespaces/HybridConnections/read",
                    "Microsoft.Resources/subscriptions/locations/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Sql/servers/databases/metrics/read",
                    "Microsoft.Sql/servers/databases/pause/action",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.Sql/servers/databases/resume/action",
                    "Microsoft.Sql/servers/databases/write",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                    "Microsoft.Storage/storageAccounts/listkeys/action",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Synapse/SKUs/read",
                    "Microsoft.Synapse/workspaces/keys/read",
                    "Microsoft.Synapse/workspaces/read",
                    "Microsoft.Synapse/workspaces/sqlDatabases/read",
                    "Microsoft.Synapse/workspaces/sqlPools/dataWarehouseUserActivities/read",
                    "Microsoft.Synapse/workspaces/sqlPools/extensions/read",
                    "Microsoft.Synapse/workspaces/sqlPools/operationStatuses/read",
                    "Microsoft.Synapse/workspaces/sqlPools/pause/action",
                    "Microsoft.Synapse/workspaces/sqlPools/read",
                    "Microsoft.Synapse/workspaces/sqlPools/resume/action",
                    "Microsoft.Synapse/workspaces/sqlPools/usages/read",
                    "Microsoft.Synapse/workspaces/sqlUsages/read",
                    "Microsoft.Web/geoRegions/Read",
                    "Microsoft.Web/serverfarms/Delete",
                    "Microsoft.Web/serverfarms/Read",
                    "Microsoft.Web/serverfarms/Write",
                    "Microsoft.Web/serverfarms/metrics/read",
                    "Microsoft.Web/serverfarms/sites/read",
                    "Microsoft.Web/serverfarms/skus/read",
                    "Microsoft.Web/serverfarms/usages/read",
                    "Microsoft.Web/sites/metrics/read",
                    "Microsoft.Web/sites/read",
                    "Microsoft.Web/sites/slots/Read",
                    "Microsoft.Web/sites/usages/read"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
                ],
                "notDataActions": []
            }
        ]
    }
}

Note:

Be sure to update the following information in the file:

<RoleName> – Specify your preferred name for the custom role.
<Subscription_ID> – Specify the ID of the subscription that Turbonomic will manage.

Minimum Permissions - Uploads of Migration Plans to Azure

Turbonomic includes a planning feature that simulates the migration of workloads to Azure. After you run the plan, you can upload the plan results to Azure to begin the actual migration process. To upload the results, the following permissions are required.

Turbonomic Functionality	Required Permissions
Uploads of plan results to Azure Migrate	`Microsoft.Migrate/migrateprojects/read` Gets the properties of a Migrate project `Microsoft.Migrate/migrateprojects/solutions/read` Gets the properties of a Migrate project solution `Microsoft.Migrate/migrateprojects/solutions/getconfig/action` Gets the configuration of a Migrate project solution