What role is required to be enabled at Subscription scope to enable Traffic Analytics for an Azure subscription.

Shridhar Srinivasan 215

If your account has Reader role at Subscription scope, does that allow to enable Traffic Analytics.

2 answers

Ernest King Arthur 0 Reputation points

2023-07-14T14:26:42.96+00:00
One of the following Azure built-in roles needs to be assigned to your account:
1.Owner

2.Contributor

3.Network Contributor

If none of the preceding built-in roles are assigned to your account, assign a custom role to your account. The custom role should support the following actions at the subscription level:

Microsoft.Network/applicationGateways/read

Microsoft.Network/connections/read

Microsoft.Network/loadBalancers/read

Microsoft.Network/localNetworkGateways/read

Microsoft.Network/networkInterfaces/read

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/publicIPAddresses/read"

Microsoft.Network/routeTables/read

Microsoft.Network/virtualNetworkGateways/read

Microsoft.Network/virtualNetworks/read

Microsoft.Network/expressRouteCircuits/read
Hope this helps.
Please sign in to rate this answer.
Shridhar Srinivasan 215 Reputation points

2023-07-15T10:36:46.2933333+00:00

It doesn't help. I have seen the official .doc as well which quotes the above.

But, many blogs and practice exams quote "If your account has Reader role at Subscription scope, you can enable Traffic Analytics."

Shridhar Srinivasan 215 Reputation points

2023-07-17T10:41:25.29+00:00

Thank you @Ernest King Arthur and @Sandeep G-MSFT

Shridhar Srinivasan 215 Reputation points

2023-07-30T04:21:23.06+00:00

Apologies for Re-opening. Have further doubts. Comment added below to the other answer.
Sign in to comment
Sandeep G-MSFT 16,696 Reputation points Microsoft Employee

2023-07-17T08:48:23.4966667+00:00

@Shridhar Srinivasan

With Reader role assigned on subscription scope, this means you can read all the resources of all types, except secrets.

Enabling Traffic Analytics is an "Write" operation. Write operations cannot be performed under "Reader" role.

As eKINGARTHUR mentioned you need any of the below roles assigned to account in order to Enable or disable traffic Analytics.

Let us know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Murali R 245 Reputation points

2023-07-20T14:26:02.26+00:00

Hi @Sandeep G-MSFT

Iam currently working on a process for creating NSG flow log with Traffic Analytics Enabled through bicep. When i have tested the pipeline i have received the below error "TAUserDoesNotHavePermissions: User does not have permissions to enable Traffic Analytics".

For this i have all the custom roles available provided as per Microsoft Document. Link [https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics-]. Is the Network contributor built in role is mandatory to enable traffic analytics or custom role will suffice?

Kindly help me on this regard.

Thanks,

Murali

Shridhar Srinivasan 215 Reputation points

2023-07-30T04:24:28.0466667+00:00

Apologies for Re-opening. Have further doubts on reading again the custom role actions.

If you check the list of actions for the custom role definition, they are all Read actions. Then why would a Reader role not suffice.

Sandeep G-MSFT 16,696 Reputation points Microsoft Employee

2023-08-01T12:02:18.7166667+00:00

@Shridhar Srinivasan

I am looking into this. Let me try to reproduce this in my lab and get back to you

Shridhar Srinivasan 215 Reputation points

2023-08-03T08:14:04.1966667+00:00

@Sandeep G-MSFT

Thanks for trying to reproduce this in lab. Please share update as soon as you have a result.

Murali R 245 Reputation points

2023-08-03T09:54:17.55+00:00

@Srinivasan, Shridhar (Shridhar), My issue got resolved after adding all the custom roles in the subscription level of scope. Right now iam able to create NSG flow log without any errors. Only change in custom role is

Microsoft.OperationalInsights/workspaces/read, Microsoft.OperationalInsights/workspaces/write

Shridhar Srinivasan 215 Reputation points

2023-08-03T18:54:25.1133333+00:00

Thanks Murali. My query is more on the Built-in Reader role at Subscription level. Why that does not suffice when the custom role also lists only the different Read permissions.

Your response seems to suggest, we need this right - Microsoft.OperationalInsights/workspaces/write

This surely will lead to a Post request I believe.

I'll just wait for @Sandeep G-MSFT to confirm with his results before closing this loop.
Sign in to comment

Share via

What role is required to be enabled at Subscription scope to enable Traffic Analytics for an Azure subscription.

2 answers