ESET PROTECT – Table of Contents

Required permissions for Azure service principal

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

Azure role-based access control (RBAC)

Role	Scope	Required permissions	Reason
Log Analytics Contributor	/subscriptions/${subscription_id}	•/read To be able to read all resources in the subscription. •Microsoft.Insights/DiagnosticSettings/ To be able to create/update DiagnosticSettings to collect resource logs to Azure EventHub.	ESET Cloud Workload Protection (CWP) will create and update DiagnosticSettings for Azure resources.
Virtual Machine Contributor	/subscriptions/${subscription_id}	•Microsoft.Compute/virtualMachines/runCommand/* https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute	CWP will run commands on the client's Virtual Machines to install ESET Endpoint using the ESET Live Installer.
Contributor	/subscriptions/${subscription_id}/resourceGroups/eset-cwpp-rg	•Manage Azure Event Hub. •Create Virtual Machines for scanning (in the future).	The eset-cwpp-rg resource group will contain CWP-managed resources. CWP will create an Azure Event Hub in this resource group. In the future, CWP will create Virtual Machines to scan Cloud storage/disks here.

Role

Scope

Required permissions

Reason

Log Analytics Contributor

/subscriptions/${subscription_id}

•*/read
To be able to read all resources in the subscription.

•Microsoft.Insights/DiagnosticSettings/*
To be able to create/update DiagnosticSettings to collect resource logs to Azure EventHub.

ESET Cloud Workload Protection (CWP) will create and update DiagnosticSettings for Azure resources.

Virtual Machine Contributor

/subscriptions/${subscription_id}

•Microsoft.Compute/virtualMachines/runCommand/*
https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute

CWP will run commands on the client's Virtual Machines to install ESET Endpoint using the ESET Live Installer.

Contributor

/subscriptions/${subscription_id}/resourceGroups/eset-cwpp-rg

•Manage Azure Event Hub.

•Create Virtual Machines for scanning (in the future).

The eset-cwpp-rg resource group will contain CWP-managed resources. CWP will create an Azure Event Hub in this resource group. In the future, CWP will create Virtual Machines to scan Cloud storage/disks here.

MS Graph

Permission name	Description	Grant admin consent is required	Reason
https://graph.microsoft.com/AuditLog.Read.All	Read all audit log data.	Yes	CWP will read Activity logs using Graph API.
https://management.azure.com/user_impersonation	Allow the application to access Azure Resource Manager, acting as a user in the organization.	No	In case of automated integration of CWP with the client's Azure tenant, ESET Cloud Workload Protection will list existing subscriptions, assign required permissions to the ESET Cloud Workload Protection application (an Azure multi-tenant application connected to the client's tenant by approving consent) and create a resource group for ESET Cloud Workload Protection-managed resources.

˄˅