Azure-docs: Provide Least Privilege Instructions for the discovery Account

@JustinGrote Thanks a lot for taking time to share your feedback , we will further review and get back to you at the earliest.

I'm checking on least privilege for creating a project. thx!

@rayne-wiselman there are some built in key vault roles in preview, does the migrate account just need a key vault? I would imagine it would need reader permissions on the VMs perhaps as well
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

That should have said least privilege for creating Azure Migrate project. Updating text and will report back here with progress.

Hi @JustinGrote. Currently, the information in the article is accurate for creating a migrate project. We'll update the documentation if there are changes to the current requirements. Thanks! Rayne

@rayne-wiselman Are you sure about that? It only took me 15 minutes of research to:

1. Create a migrate resource
2. Look at the ARM template to see resources were created
3. Create an appropriate custom role template to allow for those resources
4. Assign to a test user
5. Allow that user to create the migrate resource and nothing else and test successfully

Obviously there are more permissions involved in discovery after this step but certainly less than contributor are required and there should at least be some guidance along these lines.

I would expect Microsoft to be more security conscious then requiring "domain admin" to an entire subscription, that's the realm of ignorant third party ISVs. As an MSP going into a foreign environment and asking for this, especially in a large customer, is a huge ask and would get denied frequently, telling us we don't know what we are doing.

I request a re-review of this request with someone highly familiar with Azure Roles and RBAC permissions and prepare a JSON template for the least privileges required, as well as Azure Policy recommendations as appropriate. Thank you!

Here's the template I used to successfully create an assessment project without requiring contributor rights, only these rights and only assigned to a specific resource group not an entire subscription. This is the full list but it could be truncated by grouping with wildcards.

{
  "Name": "AzureMigrateTest2",
  "Id": "2383af4b-e66c-4753-b72e-83fbbf1bbe00",
  "IsCustom": true,
  "Description": "",
  "Actions": [
    "Microsoft.Migrate/projects/machines/read",
    "Microsoft.Migrate/projects/groups/assessments/assessedmachines/read",
    "Microsoft.Migrate/projects/groups/assessments/downloadurl/action",
    "Microsoft.Migrate/projects/groups/assessments/delete",
    "Microsoft.Migrate/projects/groups/assessments/write",
    "Microsoft.Migrate/projects/groups/assessments/read",
    "Microsoft.Migrate/projects/groups/delete",
    "Microsoft.Migrate/projects/groups/write",
    "Microsoft.Migrate/projects/groups/read",
    "Microsoft.Migrate/projects/assessments/read",
    "Microsoft.Migrate/projects/keys/action",
    "Microsoft.Migrate/projects/delete",
    "Microsoft.Migrate/projects/write",
    "Microsoft.Migrate/projects/read",
    "Microsoft.Migrate/migrateprojects/WebSites/read",
    "Microsoft.Migrate/migrateprojects/WebServers/read",
    "Microsoft.Migrate/migrateprojects/VirtualDesktopUsers/read",
    "Microsoft.Migrate/migrateprojects/privateLinkResources/read",
    "Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/delete",
    "Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/write",
    "Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/validate/action",
    "Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/read",
    "Microsoft.Migrate/migrateprojects/privateEndpointConnections/delete",
    "Microsoft.Migrate/migrateprojects/privateEndpointConnections/write",
    "Microsoft.Migrate/migrateprojects/privateEndpointConnections/read",
    "Microsoft.Migrate/migrateprojects/solutions/cleanupData/action",
    "Microsoft.Migrate/migrateprojects/solutions/getconfig/action",
    "Microsoft.Migrate/migrateprojects/solutions/Delete",
    "Microsoft.Migrate/migrateprojects/solutions/write",
    "Microsoft.Migrate/migrateprojects/solutions/read",
    "Microsoft.Migrate/migrateprojects/MigrateEvents/Delete",
    "Microsoft.Migrate/migrateprojects/MigrateEvents/read",
    "Microsoft.Migrate/migrateprojects/machines/read",
    "Microsoft.Migrate/migrateprojects/Databases/read",
    "Microsoft.Migrate/migrateprojects/DatabaseInstances/read",
    "Microsoft.Migrate/migrateprojects/registrationDetails/action",
    "Microsoft.Migrate/migrateprojects/RefreshSummary/action",
    "Microsoft.Migrate/migrateprojects/registerTool/action",
    "Microsoft.Migrate/migrateprojects/delete",
    "Microsoft.Migrate/migrateprojects/write",
    "Microsoft.Migrate/migrateprojects/read",
    "Microsoft.Migrate/locations/assessmentOptions/read",
    "Microsoft.Migrate/locations/checknameavailability/action",
    "Microsoft.Migrate/Operations/read",
    "Microsoft.Migrate/assessmentprojects/vmwarecollectors/delete",
    "Microsoft.Migrate/assessmentprojects/vmwarecollectors/write",
    "Microsoft.Migrate/assessmentprojects/vmwarecollectors/read",
    "Microsoft.Migrate/assessmentprojects/servercollectors/write",
    "Microsoft.Migrate/assessmentprojects/servercollectors/read",
    "Microsoft.Migrate/assessmentprojects/privateLinkResources/read",
    "Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/delete",
    "Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/write",
    "Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/validate/action",
    "Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/read",
    "Microsoft.Migrate/assessmentprojects/privateEndpointConnections/delete",
    "Microsoft.Migrate/assessmentprojects/privateEndpointConnections/write",
    "Microsoft.Migrate/assessmentprojects/privateEndpointConnections/read",
    "Microsoft.Migrate/assessmentprojects/machines/read",
    "Microsoft.Migrate/assessmentprojects/importcollectors/delete",
    "Microsoft.Migrate/assessmentprojects/importcollectors/write",
    "Microsoft.Migrate/assessmentprojects/importcollectors/read",
    "Microsoft.Migrate/assessmentprojects/hypervcollectors/delete",
    "Microsoft.Migrate/assessmentprojects/hypervcollectors/write",
    "Microsoft.Migrate/assessmentprojects/hypervcollectors/read",
    "Microsoft.Migrate/assessmentprojects/groups/assessments/assessedmachines/read",
    "Microsoft.Migrate/assessmentprojects/groups/assessments/downloadurl/action",
    "Microsoft.Migrate/assessmentprojects/groups/assessments/delete",
    "Microsoft.Migrate/assessmentprojects/groups/assessments/write",
    "Microsoft.Migrate/assessmentprojects/groups/assessments/read",
    "Microsoft.Migrate/assessmentprojects/groups/avsAssessments/avsassessedmachines/read",
    "Microsoft.Migrate/assessmentprojects/groups/avsAssessments/downloadurl/action",
    "Microsoft.Migrate/assessmentprojects/groups/avsAssessments/delete",
    "Microsoft.Migrate/assessmentprojects/groups/avsAssessments/write",
    "Microsoft.Migrate/assessmentprojects/groups/avsAssessments/read",
    "Microsoft.Migrate/assessmentprojects/groups/updateMachines/action",
    "Microsoft.Migrate/assessmentprojects/groups/delete",
    "Microsoft.Migrate/assessmentprojects/groups/write",
    "Microsoft.Migrate/assessmentprojects/groups/read",
    "Microsoft.Migrate/assessmentprojects/assessmentsSummary/read",
    "Microsoft.Migrate/assessmentprojects/assessments/read",
    "Microsoft.Migrate/assessmentprojects/assessmentOptions/read",
    "Microsoft.Migrate/assessmentprojects/avsAssessmentOptions/read",
    "Microsoft.Migrate/assessmentprojects/delete",
    "Microsoft.Migrate/assessmentprojects/write",
    "Microsoft.Migrate/assessmentprojects/read",
    "Microsoft.Migrate/register/action",
    "Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action",
    "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
    "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
    "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
    "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
    "Microsoft.Resources/deploymentScripts/logs/read",
    "Microsoft.Resources/deploymentScripts/write",
    "Microsoft.Resources/deploymentScripts/read",
    "Microsoft.Resources/deployments/operationstatuses/read",
    "Microsoft.Resources/deployments/operations/read",
    "Microsoft.Resources/deployments/exportTemplate/action",
    "Microsoft.Resources/deployments/whatIf/action",
    "Microsoft.Resources/deployments/validate/action",
    "Microsoft.Resources/deployments/cancel/action",
    "Microsoft.Resources/deployments/write",
    "Microsoft.Resources/deployments/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/48759ba7-c496-43ac-ba0e-03abf5ef2092/resourceGroups/ARMTest"
  ]
}

I will pass along the feedback. Thanks

Get Outlook for Androidhttps://aka.ms/ghei36

From: Justin Grote notifications@github.com
Sent: Wednesday, October 28, 2020 7:11:35 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Rayne Wiselman raynew@microsoft.com; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Provide Least Privilege Instructions for the discovery Account (#65023)

@rayne-wiselmanhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frayne-wiselman&data=04%7C01%7Craynew%40microsoft.com%7C32f5f4289c0d48b6b9ab08d87b6486aa%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637395018970634208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ypNmNkbyCZp4qW2eEMY4WNUyxNXkA4M78qjIGx85ZOQ%3D&reserved=0 Are you sure about that? It only took me 15 minutes of research to:

1. Create a migrate resource
2. Look at the ARM template to see resources were created
3. Create an appropriate custom role template to allow for those resources
4. Assign to a test user
5. Allow that user to create the migrate resource and nothing else and test successfully

Obviously there are more permissions involved in discovery after this step but certainly less than contributor are required and there should at least be some guidance along these lines.

I would expect Microsoft to be more security conscious then requiring "domain admin" to an entire subscription, that's the realm of ignorant third party ISVs. As an MSP going into a foreign environment and asking for this, especially in a large customer, is a huge ask and would get denied frequently, telling us we don't know what we are doing.

I request a re-review of this request with someone highly familiar with Azure Roles and RBAC permissions and prepare a JSON template for the least privileges required, as well as Azure Policy recommendations as appropriate. Thank you!

Here's the template I used to successfully create an assessment project without requiring contributor rights. This is the full list but it could be truncated by grouping with wildcards.

{
"Name": "AzureMigrateTest2",
"Id": "2383af4b-e66c-4753-b72e-83fbbf1bbe00",
"IsCustom": true,
"Description": "",
"Actions": [
"Microsoft.Migrate/projects/machines/read",
"Microsoft.Migrate/projects/groups/assessments/assessedmachines/read",
"Microsoft.Migrate/projects/groups/assessments/downloadurl/action",
"Microsoft.Migrate/projects/groups/assessments/delete",
"Microsoft.Migrate/projects/groups/assessments/write",
"Microsoft.Migrate/projects/groups/assessments/read",
"Microsoft.Migrate/projects/groups/delete",
"Microsoft.Migrate/projects/groups/write",
"Microsoft.Migrate/projects/groups/read",
"Microsoft.Migrate/projects/assessments/read",
"Microsoft.Migrate/projects/keys/action",
"Microsoft.Migrate/projects/delete",
"Microsoft.Migrate/projects/write",
"Microsoft.Migrate/projects/read",
"Microsoft.Migrate/migrateprojects/WebSites/read",
"Microsoft.Migrate/migrateprojects/WebServers/read",
"Microsoft.Migrate/migrateprojects/VirtualDesktopUsers/read",
"Microsoft.Migrate/migrateprojects/privateLinkResources/read",
"Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/delete",
"Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/write",
"Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/validate/action",
"Microsoft.Migrate/migrateprojects/privateEndpointConnectionProxies/read",
"Microsoft.Migrate/migrateprojects/privateEndpointConnections/delete",
"Microsoft.Migrate/migrateprojects/privateEndpointConnections/write",
"Microsoft.Migrate/migrateprojects/privateEndpointConnections/read",
"Microsoft.Migrate/migrateprojects/solutions/cleanupData/action",
"Microsoft.Migrate/migrateprojects/solutions/getconfig/action",
"Microsoft.Migrate/migrateprojects/solutions/Delete",
"Microsoft.Migrate/migrateprojects/solutions/write",
"Microsoft.Migrate/migrateprojects/solutions/read",
"Microsoft.Migrate/migrateprojects/MigrateEvents/Delete",
"Microsoft.Migrate/migrateprojects/MigrateEvents/read",
"Microsoft.Migrate/migrateprojects/machines/read",
"Microsoft.Migrate/migrateprojects/Databases/read",
"Microsoft.Migrate/migrateprojects/DatabaseInstances/read",
"Microsoft.Migrate/migrateprojects/registrationDetails/action",
"Microsoft.Migrate/migrateprojects/RefreshSummary/action",
"Microsoft.Migrate/migrateprojects/registerTool/action",
"Microsoft.Migrate/migrateprojects/delete",
"Microsoft.Migrate/migrateprojects/write",
"Microsoft.Migrate/migrateprojects/read",
"Microsoft.Migrate/locations/assessmentOptions/read",
"Microsoft.Migrate/locations/checknameavailability/action",
"Microsoft.Migrate/Operations/read",
"Microsoft.Migrate/assessmentprojects/vmwarecollectors/delete",
"Microsoft.Migrate/assessmentprojects/vmwarecollectors/write",
"Microsoft.Migrate/assessmentprojects/vmwarecollectors/read",
"Microsoft.Migrate/assessmentprojects/servercollectors/write",
"Microsoft.Migrate/assessmentprojects/servercollectors/read",
"Microsoft.Migrate/assessmentprojects/privateLinkResources/read",
"Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/delete",
"Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/write",
"Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/validate/action",
"Microsoft.Migrate/assessmentprojects/privateEndpointConnectionProxies/read",
"Microsoft.Migrate/assessmentprojects/privateEndpointConnections/delete",
"Microsoft.Migrate/assessmentprojects/privateEndpointConnections/write",
"Microsoft.Migrate/assessmentprojects/privateEndpointConnections/read",
"Microsoft.Migrate/assessmentprojects/machines/read",
"Microsoft.Migrate/assessmentprojects/importcollectors/delete",
"Microsoft.Migrate/assessmentprojects/importcollectors/write",
"Microsoft.Migrate/assessmentprojects/importcollectors/read",
"Microsoft.Migrate/assessmentprojects/hypervcollectors/delete",
"Microsoft.Migrate/assessmentprojects/hypervcollectors/write",
"Microsoft.Migrate/assessmentprojects/hypervcollectors/read",
"Microsoft.Migrate/assessmentprojects/groups/assessments/assessedmachines/read",
"Microsoft.Migrate/assessmentprojects/groups/assessments/downloadurl/action",
"Microsoft.Migrate/assessmentprojects/groups/assessments/delete",
"Microsoft.Migrate/assessmentprojects/groups/assessments/write",
"Microsoft.Migrate/assessmentprojects/groups/assessments/read",
"Microsoft.Migrate/assessmentprojects/groups/avsAssessments/avsassessedmachines/read",
"Microsoft.Migrate/assessmentprojects/groups/avsAssessments/downloadurl/action",
"Microsoft.Migrate/assessmentprojects/groups/avsAssessments/delete",
"Microsoft.Migrate/assessmentprojects/groups/avsAssessments/write",
"Microsoft.Migrate/assessmentprojects/groups/avsAssessments/read",
"Microsoft.Migrate/assessmentprojects/groups/updateMachines/action",
"Microsoft.Migrate/assessmentprojects/groups/delete",
"Microsoft.Migrate/assessmentprojects/groups/write",
"Microsoft.Migrate/assessmentprojects/groups/read",
"Microsoft.Migrate/assessmentprojects/assessmentsSummary/read",
"Microsoft.Migrate/assessmentprojects/assessments/read",
"Microsoft.Migrate/assessmentprojects/assessmentOptions/read",
"Microsoft.Migrate/assessmentprojects/avsAssessmentOptions/read",
"Microsoft.Migrate/assessmentprojects/delete",
"Microsoft.Migrate/assessmentprojects/write",
"Microsoft.Migrate/assessmentprojects/read",
"Microsoft.Migrate/register/action",
"Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action",
"Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/deploymentScripts/logs/read",
"Microsoft.Resources/deploymentScripts/write",
"Microsoft.Resources/deploymentScripts/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/48759ba7-c496-43ac-ba0e-03abf5ef2092/resourceGroups/ARMTest"
]
}

[image]https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F15258962%2F97471206-bbba1f00-1905-11eb-9b64-dd52b1abf328.png&data=04%7C01%7Craynew%40microsoft.com%7C32f5f4289c0d48b6b9ab08d87b6486aa%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637395018970644203%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=u9RfBVDa3ulBNsXiGVZ9VQjd5J%2BqUjzdsEqXjTsqgNw%3D&reserved=0

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F65023%23issuecomment-718080393&data=04%7C01%7Craynew%40microsoft.com%7C32f5f4289c0d48b6b9ab08d87b6486aa%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637395018970654197%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=st%2BS8nhVP9s0Zjb8IC3FE0R2AFh9Nlavr9nj92S9DVA%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAA635CGDZI2DNAZ634N5Q33SNBGEPANCNFSM4S7VENTA&data=04%7C01%7Craynew%40microsoft.com%7C32f5f4289c0d48b6b9ab08d87b6486aa%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637395018970654197%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cA0lPQCb0FDAqkMVRqhHo%2Fb4rKxlcGQ8fcj0LFt7Xq8%3D&reserved=0.

@JustinGrote thanks for highlighting the need for RBAC permissions. We, at PG are working on validating the RBAC permissions required for different operations on Azure Migrate and will be updating the same in docs in a few weeks. I reviewed the permissions you have defined, I just wanted to check what operations were you planning to execute-by that I mean, which of the following:

1. Creating Azure Migrate project
2. Adding 1P Azure Migrate tools like Server Assessment and Server Migration
3. Setting up Azure Migrate appliance for discovery and assessment
4. Viewing discovered servers, applications and dependencies on the portal
5. Creating groups and assessments (as on-premises or performance based)
6. Initiating replication on VMs (agentless or agent-based)
7. Trying Test migration and final migration
8. Booting up VMs post migration

@Vikram1988 Thank you and I appreciate your diligence in assisting with this additional documentation. I believe that list of operations looks correct, basically everything required to execute an assessment and migration/optimization of VMs both on premise and in Azure. I look forward to it!

@JustinGrote Hey, I'm going to close this for now. We'll update info across articles in line with the PG timeline. Thanks for your feedback on our docs. Always appreciated!

@rayne-wiselman is their timeline published anywhere? That should be referenced and then this can be closed, otherwise this issue should remain open until the docs are updated.

@justinGrote. I've opened an internal task and will track the doc work there. That internal issue will close when the docs are updated. These public issues track whether the documentation is currently accurate, which it is. The docs should be updated in line with the timeline Vikram described above. Your comments are captured in the internal work item.