ARM Template Installation - Required Permissions

Outlines the required permissions to deploy Cloud Protect with provided ARM templates

ARM Template Installation - Required Permissions

Permissions below are required to install Protegrity service using ARM template.

All permissions in the table must be granted with the Resource group scope.

Permissions

Description

Built-In Azure Role

Microsoft.Insights/components/read

Microsoft.OperationalInsights/workspaces/read

Read access to monitoring data and settings

Monitoring Reader

Microsoft.Insights/components/write

Microsoft.OperationalInsights/workspaces/write

Write and manage access to monitoring data and settings

Monitoring Contributor

Microsoft.Web/serverFarms/write

Microsoft.Web/sites/write

Microsoft.Web/sites/host/listkeys/action

Microsoft.Web/serverFarms/join/action

Microsoft.Web/register/action

Write and manage access to web apps

Website Contributor

Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

Microsoft.ManagedIdentity/userAssignedIdentities/read

Manage and assign managed identities

Managed Identity Operator

Microsoft.Resources/deployments/validate/action

Microsoft.Resources/deployments/write

Microsoft.Resources/deployments/operationStatuses/read

Microsoft.Resources/deployments/read

Manage and validate deployments

Deployment Contributor

         

Log Forwarder service ARM deployment requires additional permissions below:

Permissions

Description

Built-In Azure Role

Microsoft.EventHub/namespaces/write

Microsoft.EventHub/namespaces/eventhubs/write

Microsoft.EventHub/namespaces/networkrulesets/write

Allow for the creation, update, and deletion of Event Hub namespaces, event hubs within those namespaces, and their network rule sets, enabling full management of Event Hub resources. Note: These permissions are only required when deploying new event Hub.

Event Hubs Contributor

Microsoft.EventHub/namespaces/read

Read monitoring data and metrics, including Event Hub namespace data.

Monitoring Reader

  

      

The additional permissions listed below are required when API management is part of the deployment.

Permissions

Description

Built-In Azure Role

Microsoft.ApiManagement/service/write

Microsoft.ApiManagement/service/apis/write

Microsoft.ApiManagement/service/diagnostics/write

Microsoft.ApiManagement/service/apis/operations/write

Microsoft.ApiManagement/service/apis/operations/policies/write

Microsoft.ApiManagement/service/backends/write

Microsoft.ApiManagement/service/loggers/write

Microsoft.ApiManagement/service/policies/write

Microsoft.ApiManagement/service/apis/diagnostics/write

Create or update API Management service instances, APIs, diagnostics, API operations, operation policies, backends, loggers, tenant policies, and API diagnostics.

API Management Service Contributor

Microsoft.ApiManagement/service/read

Microsoft.ApiManagement/service/operationResults/read

Read metadata for API Management service instances and get the status of long-running operations.

API Management Service Reader


Last modified : January 13, 2026