Edit

Azure role-based access control permissions required to use Network Watcher capabilities

  • Article

Azure role-based access control (Azure RBAC) enables you to assign only the specific actions to members of your organization that they require to complete their assigned responsibilities. To use Azure Network Watcher capabilities, the account you log into Azure with, must be assigned to the Owner, Contributor, or Network contributor built-in roles, or assigned to a custom role that is assigned the actions listed for each Network Watcher capability in the sections that follow. To learn how to check roles assigned to a user for a subscription, see List Azure role assignments using the Azure portal. If you can't see the role assignments, contact the respective subscription admin. To learn more about Network Watcher's capabilities, see What is Network Watcher?

Important

Network contributor does not cover the following actions:

  • Microsoft.Storage/* actions listed in Additional actions or Flow logs section.
  • Microsoft.Compute/* actions listed in Additional actions section.
  • Microsoft.OperationalInsights/workspaces/*, Microsoft.Insights/dataCollectionRules/* or Microsoft.Insights/dataCollectionEndpoints/* actions listed in Traffic analytics section.

Network Watcher

Action Description
Microsoft.Network/networkWatchers/read Get a network watcher
Microsoft.Network/networkWatchers/write Create or update a network watcher
Microsoft.Network/networkWatchers/delete Delete a network watcher

Connection monitor

Action Description
Microsoft.Network/networkWatchers/connectionMonitors/start/action Start a connection monitor
Microsoft.Network/networkWatchers/connectionMonitors/stop/action Stop a connection monitor
Microsoft.Network/networkWatchers/connectionMonitors/query/action Query a connection monitor
Microsoft.Network/networkWatchers/connectionMonitors/read Get a connection monitor
Microsoft.Network/networkWatchers/connectionMonitors/write Create a connection monitor
Microsoft.Network/networkWatchers/connectionMonitors/delete Delete a connection monitor

Flow logs

Action Description
Microsoft.Network/networkWatchers/configureFlowLog/action Configure a flow Log
Microsoft.Network/networkWatchers/queryFlowLogStatus/action Query status for a flow log
Microsoft.Storage/storageAccounts/listServiceSas/Action,
Microsoft.Storage/storageAccounts/listAccountSas/Action,
Microsoft.Storage/storageAccounts/listKeys/Action		 Fetch shared access signatures (SAS) enabling secure access to storage account and write to the storage account

Traffic analytics

Since traffic analytics is enabled as part of the Flow log resource, the following permissions are required in addition to all the required permissions for Flow logs:

Action Description
Microsoft.Network/applicationGateways/read Get an application gateway
Microsoft.Network/connections/read Get VirtualNetworkGatewayConnection
Microsoft.Network/loadBalancers/read Get a load balancer definition
Microsoft.Network/localNetworkGateways/read Get LocalNetworkGateway
Microsoft.Network/networkInterfaces/read Get a network interface definition
Microsoft.Network/networkSecurityGroups/read Get a network security group definition
Microsoft.Network/publicIPAddresses/read Get a public IP address definition
Microsoft.Network/routeTables/read Get a route table definition
Microsoft.Network/virtualNetworkGateways/read Get a VirtualNetworkGateway
Microsoft.Network/virtualNetworks/read Get a virtual network definition
Microsoft.Network/expressRouteCircuits/read Get an ExpressRouteCircuit
Microsoft.OperationalInsights/workspaces/read Get an existing workspace
Microsoft.OperationalInsights/workspaces/sharedkeys/action Retrieve the shared keys for the workspace
Microsoft.Insights/dataCollectionRules/read 1 Read a data collection rule
Microsoft.Insights/dataCollectionRules/write 1 Create or update a data collection rule
Microsoft.Insights/dataCollectionRules/delete 1 Delete a data collection rule
Microsoft.Insights/dataCollectionEndpoints/read 1 Read a data collection endpoint
Microsoft.Insights/dataCollectionEndpoints/write 1 Create or update a data collection endpoint
Microsoft.Insights/dataCollectionEndpoints/delete 1 Delete a data collection endpoint

1 Only required when using traffic analytics to analyze VNet flow logs (preview). For more information, see Data collection rules in Azure Monitor and Data collection endpoints in Azure Monitor.

Caution

Data collection rule and data collection endpoint resources are created and managed by traffic analytics. If you perform any operation on these resources, traffic analytics may not function as expected.

Connection troubleshoot

Action Description
Microsoft.Network/networkWatchers/connectivityCheck/action Initiate a connection troubleshoot test
Microsoft.Network/networkWatchers/queryTroubleshootResult/action Query results of a connection troubleshoot test
Microsoft.Network/networkWatchers/troubleshoot/action Run a connection troubleshoot test

Packet capture

Action Description
Microsoft.Network/networkWatchers/packetCaptures/queryStatus/action Query the status of a packet capture.
Microsoft.Network/networkWatchers/packetCaptures/stop/action Stop a packet capture.
Microsoft.Network/networkWatchers/packetCaptures/read Get a packet capture.
Microsoft.Network/networkWatchers/packetCaptures/write Create a packet capture.
Microsoft.Network/networkWatchers/packetCaptures/delete Delete a packet capture.
Microsoft.Network/networkWatchers/packetCaptures/queryStatus/read View the status of a packet capture.

IP flow verify

Action Description
Microsoft.Network/networkWatchers/ipFlowVerify/action Verify an IP flow

Next hop

Action Description
Microsoft.Network/networkWatchers/nextHop/action Get the next hop from a VM

Network security group view

Action Description
Microsoft.Network/networkWatchers/securityGroupView/action View security groups

Topology

Action Description
Microsoft.Network/networkWatchers/topology/action Get topology
Microsoft.Network/networkWatchers/topology/read Same as above

Reachability report

Action Description
Microsoft.Network/networkWatchers/azureReachabilityReport/action Get an Azure reachability report

Additional actions

Network Watcher capabilities also require the following actions:

Action(s) Description
Microsoft.Authorization/*/Read Fetch Azure role assignments and policy definitions
Microsoft.Resources/subscriptions/resourceGroups/Read Enumerate all the resource groups in a subscription
Microsoft.Storage/storageAccounts/Read Get the properties for the specified storage account
Microsoft.Storage/storageAccounts/listServiceSas/Action,
Microsoft.Storage/storageAccounts/listAccountSas/Action,
Microsoft.Storage/storageAccounts/listKeys/Action		 Fetch shared access signatures (SAS) enabling secure access to storage account and write to the storage account
Microsoft.Compute/virtualMachines/Read,
Microsoft.Compute/virtualMachines/Write		 Log in to the VM, do a packet capture and upload it to storage account
Microsoft.Compute/virtualMachines/extensions/Read,
Microsoft.Compute/virtualMachines/extensions/Write		 Check if Network Watcher extension is present, and install if necessary
Microsoft.Compute/virtualMachineScaleSets/Read,
Microsoft.Compute/virtualMachineScaleSets/Write		 Access virtual machine scale sets, do packet captures and upload them to storage account
Microsoft.Compute/virtualMachineScaleSets/extensions/Read,
Microsoft.Compute/virtualMachineScaleSets/extensions/Write		 Check if Network Watcher extension is present, and install if necessary
Microsoft.Insights/alertRules/* Set up metric alerts
Microsoft.Support/* Create and update support tickets from Network Watcher