Reference: Azure Permissions
The service principal that you set up in Azure specifies the permissions that Turbonomic needs to discover and monitor your Azure workloads. Permissions to execute actions from Turbonomic are optional.
Minimum Permissions - Workload Monitoring
The following minimum permissions are required to monitor Azure workloads.
Turbonomic Functionality |
Required Permissions |
---|---|
Role validation |
|
Discovery of subscriptions |
|
Discovery of resource groups, locations, and SKUs |
|
Discovery of storage accounts |
|
Discovery of metrics for various entities |
|
Discovery of VMs |
|
Discovery of VM scale sets and availability sets |
|
Discovery of reservations |
|
Discovery of volumes |
|
Discovery of SQL databases (vCore/ DTU) and metrics |
|
Discovery of resources used in Azure Synapse Analytics |
|
Discovery of App Services (plans/app instances) and metrics |
|
Discovery of Cosmos DB resources |
|
Discovery of clusters managed by Azure Kubernetes Service (AKS) |
|
Discovery of desktop virtualization (VDI) |
|
Discovery of network resources |
|
Discovery of pricing information |
|
Minimum Permissions - Action Execution
The following permissions are required only if you want to execute actions for Azure workloads from Turbonomic.
Turbonomic Functionality |
Required Permissions |
---|---|
Discovery of locks that could prevent action execution |
|
Execution of actions for VMs |
|
Execution of actions for VM scale sets and availability sets |
|
Execution of actions for Azure Kubernetes Service (AKS) nodes (VMs) |
|
Execution of actions for volumes |
|
Execution of actions for SQL databases (vCore and DTU) |
|
Execution of actions for dedicated SQL pools for Azure Synapse Analytics |
|
Execution of actions for App Services (plans) |
|
Execution of actions for Cosmos DB databases and document collections |
|
Sample JSON - Minimum Permissions for Workload Monitoring
In Azure, you can create a custom role that specifies the permissions that Turbonomic needs to monitor workloads in your subscriptions.
When you create the role, you have the option of uploading a JSON file that specifies the permissions and settings for the role. You can copy the content in this section to the JSON file.
{
"properties": {
"roleName": "<RoleName>",
"description": "",
"assignableScopes": [
"/subscriptions/<Subscription_ID>"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Capacity/catalogs/read",
"Microsoft.Capacity/reservationorders/reservations/read",
"Microsoft.Commerce/RateCard/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Consumption/pricesheets/read",
"Microsoft.ContainerService/managedClusters/agentPools/read",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/read",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/read",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/databases/collections/metrics/read",
"Microsoft.DocumentDB/databaseAccounts/databases/metrics/read",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/read",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/read",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/metrics/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/tables/read",
"Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/usages/read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.OperationalInsights/workspaces/query/InsightsMetrics/read",
"Microsoft.OperationalInsights/workspaces/query/Perf/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.Relay/namespaces/HybridConnections/read",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/servers/databases/metrics/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Synapse/SKUs/read",
"Microsoft.Synapse/workspaces/keys/read",
"Microsoft.Synapse/workspaces/read",
"Microsoft.Synapse/workspaces/sqlDatabases/read",
"Microsoft.Synapse/workspaces/sqlPools/dataWarehouseUserActivities/read",
"Microsoft.Synapse/workspaces/sqlPools/extensions/read",
"Microsoft.Synapse/workspaces/sqlPools/operationStatuses/read",
"Microsoft.Synapse/workspaces/sqlPools/read",
"Microsoft.Synapse/workspaces/sqlPools/usages/read",
"Microsoft.Synapse/workspaces/sqlUsages/read",
"Microsoft.Web/geoRegions/Read",
"Microsoft.Web/serverfarms/metrics/read",
"Microsoft.Web/serverfarms/Read",
"Microsoft.Web/serverfarms/sites/read",
"Microsoft.Web/serverfarms/skus/read",
"Microsoft.Web/serverfarms/usages/read",
"Microsoft.Web/sites/metrics/read",
"Microsoft.Web/sites/read",
"Microsoft.Web/sites/slots/Read",
"Microsoft.Web/sites/usages/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Be sure to update the following information in the JSON file:
-
<RoleName>
– Specify your preferred name for the custom role. -
<Subscription_ID>
– Specify the ID of the subscription that Turbonomic will manage.
Sample JSON - Minimum Permissions for Workload Monitoring and Action Execution
In Azure, you can create a custom role that specifies the permissions that Turbonomic needs to monitor workloads in your subscriptions and execute actions for these workloads.
When you create the role, you have the option of uploading a JSON file that specifies the permissions and settings for the role. You can copy the content in this section to the JSON file.
{
"properties": {
"roleName": "<RoleName>",
"description": "",
"assignableScopes": [
"/subscriptions/<Subscription_ID>"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Capacity/catalogs/read",
"Microsoft.Capacity/reservationorders/reservations/read",
"Microsoft.Commerce/RateCard/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/images/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/virtualMachineScaleSets/deallocate/action",
"Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/start/action",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/vmSizes/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Consumption/pricesheets/read",
"Microsoft.ContainerService/managedClusters/agentPools/read",
"Microsoft.ContainerService/managedClusters/agentPools/write",
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/delete",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/read",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/read",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/databases/collections/metrics/read",
"Microsoft.DocumentDB/databaseAccounts/databases/metrics/read",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/delete",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/read",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/read",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/metrics/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/delete",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/tables/read",
"Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/usages/read",
"Microsoft.Insights/AutoscaleSettings/Write",
"Microsoft.Insights/Metrics/Read",
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.Migrate/migrateprojects/read",
"Microsoft.Migrate/migrateprojects/solutions/getconfig/action",
"Microsoft.Migrate/migrateprojects/solutions/read",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.OperationalInsights/workspaces/query/InsightsMetrics/read",
"Microsoft.OperationalInsights/workspaces/query/Perf/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.OperationalInsights/workspaces/sharedkeys/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationsManagement/solutions/write",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/vaults/replicationProtectedItems/read",
"Microsoft.Relay/namespaces/HybridConnections/read",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/servers/databases/metrics/read",
"Microsoft.Sql/servers/databases/pause/action",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/resume/action",
"Microsoft.Sql/servers/databases/write",
"Microsoft.Sql/servers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Synapse/SKUs/read",
"Microsoft.Synapse/workspaces/keys/read",
"Microsoft.Synapse/workspaces/read",
"Microsoft.Synapse/workspaces/sqlDatabases/read",
"Microsoft.Synapse/workspaces/sqlPools/dataWarehouseUserActivities/read",
"Microsoft.Synapse/workspaces/sqlPools/extensions/read",
"Microsoft.Synapse/workspaces/sqlPools/operationStatuses/read",
"Microsoft.Synapse/workspaces/sqlPools/pause/action",
"Microsoft.Synapse/workspaces/sqlPools/read",
"Microsoft.Synapse/workspaces/sqlPools/resume/action",
"Microsoft.Synapse/workspaces/sqlPools/usages/read",
"Microsoft.Synapse/workspaces/sqlUsages/read",
"Microsoft.Web/geoRegions/Read",
"Microsoft.Web/serverfarms/Delete",
"Microsoft.Web/serverfarms/Read",
"Microsoft.Web/serverfarms/Write",
"Microsoft.Web/serverfarms/metrics/read",
"Microsoft.Web/serverfarms/sites/read",
"Microsoft.Web/serverfarms/skus/read",
"Microsoft.Web/serverfarms/usages/read",
"Microsoft.Web/sites/metrics/read",
"Microsoft.Web/sites/read",
"Microsoft.Web/sites/slots/Read",
"Microsoft.Web/sites/usages/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notDataActions": []
}
]
}
}
Be sure to update the following information in the file:
-
<RoleName>
– Specify your preferred name for the custom role. -
<Subscription_ID>
– Specify the ID of the subscription that Turbonomic will manage.
Minimum Permissions - Uploads of Migration Plans to Azure
Turbonomic includes a planning feature that simulates the migration of workloads to Azure. After you run the plan, you can upload the plan results to Azure to begin the actual migration process. To upload the results, the following permissions are required.
Turbonomic Functionality |
Required Permissions |
---|---|
Uploads of plan results to Azure Migrate |
|