Based on PoLP, what actions are required to get full access to a Function App?

Question

Based on PoLP (Principle of Least Privilege), what actions at what scopes are required to get full access to a Function App?

Includes:

• Create (on Azure Portal)
• Deploy (by IDE or other tools)
• Enable Application Insights
• Others

Currently, by the error message, I know that "Microsoft.Web/ServerFarms/write" and "Microsoft.Web/Sites/write" at the scope of the resource group used are required to create in an existing resource group. However, I don't know which action(s) is required to enable Application Insights, and it seems like I have something missing to create a function app without enabling Application Insights, which shows an error message after I click "Review + create":

Besides, is there any document listing all actions required for every service?
And which role is suggested to be used for a developer member? Doesn't Contributor have too many permissions?

Thanks.

Answer 1

@KentChen-2307 You can refer to Azure built-in roles document for more details what are the different roles available with the different permission/actions.
As per the error in the screenshot, your user doesn't have the permission to register the resource provider Microsoft.Web

You must have permission to do the /register/action operation for the resource provider. The permission is included in the Contributor and Owner roles. This is a one-time operation to register the resource provider on a new subscription where you haven't created that resource type yet. If the user has the contributor or owner role permission then this action will automatically be performed but as your user doesn't have this permission, therefore, you observe the error. For more details on registering the resource provide you can refer to this document.

If you want a user to create/update/delete any resource then you can provide the contributor permission either at the subscription level or resource group level as per your requirement.