ESET PROTECT – Table of Contents

Required permissions for Azure service

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

Azure role-based access control (RBAC)

Role	Scope	Required permissions	Reason
Log Analytics Contributor	/subscriptions/${subscription_id}	•/read To be able to read all resources in the subscription. •Microsoft.Insights/DiagnosticSettings/ To be able to create/update DiagnosticSettings to collect resource logs to Azure EventHub.	Cloud Workload Protection Platform (CWPP) will create and update DiagnosticSettings for Azure resources.
Virtual Machine Contributor	/subscriptions/${subscription_id}	•Microsoft.Compute/virtualMachines/runCommand/* https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute	CWPP will run commands on the client's Virtual Machines to install ESET Endpoint using the ESET Live Installer.
Contributor	/subscriptions/${subscription_id}/resourceGroups/eset-cwpp-rg	•Manage Azure Event Hub. •Create Virtual Machines for scanning (in the future).	The eset-cwpp-rg resource group will contain CWPP-managed resources. CWPP will create an Azure Event Hub in this resource group. In the future, CWPP will create Virtual Machines to scan Cloud storage/disks here.

Role

Scope

Required permissions

Reason

Log Analytics Contributor

/subscriptions/${subscription_id}

•*/read
To be able to read all resources in the subscription.

•Microsoft.Insights/DiagnosticSettings/*
To be able to create/update DiagnosticSettings to collect resource logs to Azure EventHub.

Cloud Workload Protection Platform (CWPP) will create and update DiagnosticSettings for Azure resources.

Virtual Machine Contributor

/subscriptions/${subscription_id}

•Microsoft.Compute/virtualMachines/runCommand/*
https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute

CWPP will run commands on the client's Virtual Machines to install ESET Endpoint using the ESET Live Installer.

Contributor

/subscriptions/${subscription_id}/resourceGroups/eset-cwpp-rg

•Manage Azure Event Hub.

•Create Virtual Machines for scanning (in the future).

The eset-cwpp-rg resource group will contain CWPP-managed resources. CWPP will create an Azure Event Hub in this resource group. In the future, CWPP will create Virtual Machines to scan Cloud storage/disks here.

MS Graph

Permission name	Description	Admin consent is required	Reason
https://graph.microsoft.com/AuditLog.Read.All	Read all audit log data.	Yes	CWPP will read Entra logs and Activity logs using Graph API.
https://management.azure.com/user_impersonation	Allow the application to access Azure Resource Manager, acting as a user in the organization.	No	In case of automated integration of CWPP with the client's Azure tenant, CWPP will list existing subscriptions, assign required permissions to the CWPP application (an Azure multi-tenant application connected to the client's tenant by approving consent) and create a resource group for CWPP-managed resources.

˄˅