Security First: All the roles listed below provide read-only access to your infrastructure. Anyshift cannot access secrets, passwords, API keys, or any other sensitive data stored in your Azure subscription.
Required Roles and Permissions
Setup Options
- Recommended Setup
- Custom Permissions
Assign
Reader Role at the Management Group LevelFor complete infrastructure visibility, assign the built-in Reader role at the Management Group level containing all subscriptions you want to track.Anyshift will scan all Azure resources including:- Compute (Virtual Machines, VM Scale Sets, Disks, Availability Sets)
- Network (VNets, Subnets, NICs, NSGs, Load Balancers, Private DNS Zones)
- Storage (Storage Accounts, Blob Containers, File Shares, Queues, Tables)
- Containers (AKS Clusters, Agent Pools, Container Registries)
- Identity (Managed Identities, Role Assignments, Role Definitions)
- Key Vault metadata
- Log Analytics Workspaces
- Resource Groups and Subscriptions
Complete Permissions List
Complete Permissions List
View all permissions that Anyshift uses for comprehensive infrastructure scanning:
Compute Resources
Microsoft.Compute/virtualMachines/readMicrosoft.Compute/virtualMachineScaleSets/readMicrosoft.Compute/disks/readMicrosoft.Compute/diskEncryptionSets/readMicrosoft.Compute/availabilitySets/read
Network Resources
Microsoft.Network/virtualNetworks/readMicrosoft.Network/networkInterfaces/readMicrosoft.Network/networkSecurityGroups/readMicrosoft.Network/publicIPAddresses/readMicrosoft.Network/loadBalancers/readMicrosoft.Network/privateDnsZones/readMicrosoft.Network/applicationGateways/readMicrosoft.Network/azureFirewalls/readMicrosoft.Network/virtualNetworkGateways/readMicrosoft.Network/dnszones/read
Storage Resources
Microsoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/blobServices/readMicrosoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/fileServices/readMicrosoft.Storage/storageAccounts/fileServices/shares/readMicrosoft.Storage/storageAccounts/queueServices/readMicrosoft.Storage/storageAccounts/tableServices/read
Container Resources
Microsoft.ContainerService/managedClusters/readMicrosoft.ContainerService/managedClusters/agentPools/readMicrosoft.ContainerRegistry/registries/read
Identity & Authorization
Microsoft.ManagedIdentity/userAssignedIdentities/readMicrosoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleDefinitions/read
App Service & Serverless
Microsoft.Web/sites/readMicrosoft.Web/serverfarms/readMicrosoft.Web/sites/functions/read
Databases
Microsoft.Sql/servers/readMicrosoft.Sql/servers/databases/readMicrosoft.Sql/servers/elasticPools/readMicrosoft.DocumentDB/databaseAccounts/readMicrosoft.Cache/redis/read
Messaging & Events
Microsoft.ServiceBus/namespaces/readMicrosoft.ServiceBus/namespaces/queues/readMicrosoft.ServiceBus/namespaces/topics/readMicrosoft.EventHub/namespaces/readMicrosoft.EventHub/namespaces/eventhubs/read
Other Resources
Microsoft.KeyVault/vaults/readMicrosoft.OperationalInsights/workspaces/readMicrosoft.ApiManagement/service/readMicrosoft.Insights/alertRules/readMicrosoft.Insights/diagnosticSettings/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/read
Setup Guide
Option 1: Service Principal (Recommended)
Option 1: Service Principal (Recommended)
For more details on app registration, see the Microsoft Entra ID documentation.Azure PortalAzure Portal (Management Group - Recommended)Azure CLI (Single Subscription - Alternative)
Step 1 - Register an Application in Microsoft Entra ID
Terraform- Go to Microsoft Entra ID (formerly Azure Active Directory)
- Navigate to App registrations → New registration
- Enter the following:
- Name:
anyshift-readonly - Supported account types: “Accounts in this organizational directory only”
- Click Register
- Name:
- Note the Application (client) ID and Directory (tenant) ID from the Overview page
- Go to Certificates & secrets → Client secrets → New client secret
- Description:
anyshift-secret - Expires: Choose your preferred duration (recommended: 24 months)
- Click Add and copy the secret value immediately (it won’t be shown again)
- Description:
Step 2 - Assign Reader Role to the Service Principal
Recommended: Assign Reader role at the Management Group level to grant access to all subscriptions you want to track.
- Go to Management groups → Select the management group containing all subscriptions you want to track
- Navigate to Access control (IAM) → Add → Add role assignment
- Select the Reader role → Next
- Select User, group, or service principal → Select members
- Search for
anyshift-readonlyand select it - Click Review + assign
Step 3 - Add Credentials in Anyshift
- Go to Integrations → Azure → Credentials → New Credential
- Enter your credentials:
- Tenant ID: Your Azure AD tenant ID (Directory ID)
- Client ID: The Application (client) ID from Step 1
- Client Secret: The secret value from Step 1
- Click Save
Option 2: Managed Identity (Coming Soon)
Option 2: Managed Identity (Coming Soon)
We are working to add support for Azure Managed Identity.This will allow you to grant Anyshift access without managing client secrets, using Azure’s native identity capabilities with Workload Identity Federation.Stay tuned for updates!
Troubleshooting
Common Issues
Status shows “Error” after adding credentials This typically means the service principal doesn’t have the required permissions. Verify that:- The Reader role is assigned at the subscription level
- The credentials (Tenant ID, Client ID, Client Secret) are correct
- The client secret hasn’t expired
- Ensure the service principal has access to the correct subscription
- Check that resources exist in the subscription
- Allow a few minutes for the initial scan to complete