Service Connector creates connections between Azure services using an on-behalf-of token. Creating a connection to a specific Azure resource requires its corresponding permissions.
App Service
Action
Description
Microsoft.Web/sites/config/write
Update Web App's configuration settings
Microsoft.web/sites/config/delete
Delete Web Apps Config.
Microsoft.Web/sites/config/list/action
List Web App's security sensitive settings, such as publishing credentials, app settings and connection strings
Microsoft.Web/sites/config/Read
Get Web App configuration settings
Microsoft.Web/sites/write
Create a new Web App or update an existing one
Microsoft.Web/sites/read
Get the properties of a Web App
Webapp Slot
Action
Description
Microsoft.Web/sites/slots/Write
Create a new Web App Slot or update an existing one
Microsoft.Web/sites/slots/Read
Get the properties of a Web App deployment slot
Microsoft.Web/sites/slots/config/Read
Get Web App Slot's configuration settings
Microsoft.Web/sites/slots/config/Write
Update Web App Slot's configuration settings
microsoft.web/sites/slots/config/delete
Delete Web Apps Slots Config.
Microsoft.Web/sites/slots/config/list/Action
List Web App Slot's security sensitive settings, such as publishing credentials, app settings and connection strings
Azure Spring App
Action
Description
Microsoft.AppPlatform/Spring/read
Get Azure Spring Apps service instance(s)
Microsoft.AppPlatform/Spring/apps/read
Get the applications for a specific Azure Spring Apps service instance
Microsoft.AppPlatform/Spring/apps/write
Create or update the application for a specific Azure Spring Apps service instance
Return the list of server firewall rules or gets the properties for the specified server firewall rule.
Microsoft.Sql/servers/firewallRules/write
Creates a server firewall rule with the specified parameters, update the properties for the specified rule or overwrite all existing rules with new server firewall rule(s).
Microsoft.Sql/servers/firewallRules/delete
Deletes an existing server firewall rule.
Microsoft.Sql/servers/databases/read
Return the list of databases or gets the properties for the specified database.
Microsoft.Sql/servers/read
Return the list of servers or gets the properties for the specified server.
Microsoft.Sql/servers/virtualNetworkRules/read
Return the list of virtual network rules or gets the properties for the specified virtual network rule.
Microsoft.Sql/servers/virtualNetworkRules/write
Creates a virtual network rule with the specified parameters or update the properties or tags for the specified virtual network rule.
Microsoft.Sql/servers/virtualNetworkRules/delete
Deletes an existing Virtual Network Rule
Azure Key Vault
Action
Description
Microsoft.KeyVault/vaults/write
Creates a new key vault or updates the properties of an existing key vault. Certain properties may require more permissions.
Microsoft.KeyVault/vaults/read
View the properties of a key vault
Microsoft.KeyVault/vaults/secrets/write
Creates a new secret or updates the value of an existing secret.
Microsoft.KeyVault/vaults/accessPolicies/write
Updates an existing access policy by merging or replacing, or adds a new access policy to the key vault.
Managed Identity/Service principal related connection
Service Connector may need to grant permissions to Managed Identity or Service Principal if a connection is created with those as authentication types. The following table lists the permission requirements for creating a connection in this scenario.
Action
Description
Microsoft.Authorization/roleAssignments/read
Get information about a role assignment.
Microsoft.Authorization/roleAssignments/write
Create a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/delete
Delete a role assignment at the specified scope.
User-assigned managed identities connection
Service Connector may need to grant permissions to User-assigned Managed Identity if a connection is created with it as the authentication type. The following table lists the permission requirements for creating a connection in this scenario.
Private Endpoint/service endpoint related permission
Service Connector may need to grant permissions to your identity if a connection is created with private endpoint or service endpoint as the network solution. The following table lists the permission requirements for creating a connection in this scenario.
Action
Description
Microsoft.Network/publicIPAddresses/read
Gets a public IP address definition.
Microsoft.Network/virtualNetworks/subnets/read
Gets a virtual network subnet definition
Microsoft.Network/virtualNetworks/subnets/write
Creates a virtual network subnet or updates an existing virtual network subnet
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.