ARM Template Installation - Required Permissions

Permissions below are required to install Protegrity service using ARM template.

All permissions in the table must be granted with the Resource group scope.

Permissions	Description	Built-In Azure Role
`Microsoft.Insights/components/read` `Microsoft.OperationalInsights/workspaces/read`	Read access to monitoring data and settings	Monitoring Reader
`Microsoft.Insights/components/write` `Microsoft.OperationalInsights/workspaces/write`	Write and manage access to monitoring data and settings	Monitoring Contributor
`Microsoft.Web/serverFarms/write` `Microsoft.Web/sites/write` `Microsoft.Web/sites/host/listkeys/action` `Microsoft.Web/serverFarms/join/action` `Microsoft.Web/register/action`	Write and manage access to web apps	Website Contributor
`Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` `Microsoft.ManagedIdentity/userAssignedIdentities/read`	Manage and assign managed identities Note These permissions are only required when user assigned identity is used.	Managed Identity Operator
`Microsoft.Resources/deployments/validate/action` `Microsoft.Resources/deployments/write` `Microsoft.Resources/deployments/operationStatuses/read` `Microsoft.Resources/deployments/read`	Manage and validate deployments	Deployment Contributor

Log Forwarder service ARM deployment requires additional permissions below:

Permissions	Description	Built-In Azure Role
`Microsoft.EventHub/namespaces/write` `Microsoft.EventHub/namespaces/eventhubs/write` `Microsoft.EventHub/namespaces/networkrulesets/write`	Allow for the creation, update, and deletion of Event Hub namespaces, event hubs within those namespaces, and their network rule sets, enabling full management of Event Hub resources. Note: These permissions are only required when deploying new event Hub.	Event Hubs Contributor
`Microsoft.EventHub/namespaces/read`	Read monitoring data and metrics, including Event Hub namespace data.	Monitoring Reader

The additional permissions listed below are required when API management is part of the deployment.

Permissions	Description	Built-In Azure Role
`Microsoft.ApiManagement/service/write` `Microsoft.ApiManagement/service/apis/write` `Microsoft.ApiManagement/service/diagnostics/write` `Microsoft.ApiManagement/service/apis/operations/write` `Microsoft.ApiManagement/service/apis/operations/policies/write` `Microsoft.ApiManagement/service/backends/write` `Microsoft.ApiManagement/service/loggers/write` `Microsoft.ApiManagement/service/policies/write` `Microsoft.ApiManagement/service/apis/diagnostics/write`	Create or update API Management service instances, APIs, diagnostics, API operations, operation policies, backends, loggers, tenant policies, and API diagnostics.	API Management Service Contributor
`Microsoft.ApiManagement/service/read` `Microsoft.ApiManagement/service/operationResults/read`	Read metadata for API Management service instances and get the status of long-running operations.	API Management Service Reader

Permissions

Description

Built-In Azure Role

Microsoft.ApiManagement/service/write

Microsoft.ApiManagement/service/apis/write

Microsoft.ApiManagement/service/diagnostics/write

Microsoft.ApiManagement/service/apis/operations/write

Microsoft.ApiManagement/service/apis/operations/policies/write

Microsoft.ApiManagement/service/backends/write

Microsoft.ApiManagement/service/loggers/write

Microsoft.ApiManagement/service/policies/write

Microsoft.ApiManagement/service/apis/diagnostics/write

Create or update API Management service instances, APIs, diagnostics, API operations, operation policies, backends, loggers, tenant policies, and API diagnostics.

API Management Service Contributor

Microsoft.ApiManagement/service/read

Microsoft.ApiManagement/service/operationResults/read

Read metadata for API Management service instances and get the status of long-running operations.

API Management Service Reader

Feedback

Was this page helpful?

Last modified : January 21, 2026

ARM Template Installation - Required Permissions

Note

Feedback