Azure role-based access control permissions required to use Network Watcher capabilities
Azure role-based access control (Azure RBAC) enables you to assign only the specific actions to members of your organization that they require to complete their assigned responsibilities.
To use Azure Network Watcher capabilities, the account you log into Azure with, must be assigned to the Owner, Contributor, or Network contributor built-in roles, or assigned to a custom role that is assigned the actions listed for each Network Watcher capability in the sections that follow.
To learn how to check roles assigned to a user for a subscription, see List Azure role assignments using the Azure portal. If you can't see the role assignments, contact the respective subscription admin.
Network contributor doesn't cover the following actions:
- Microsoft.Storage/* actions listed in Additional actions or Flow logs section.
- Microsoft.Compute/* actions listed in Additional actions section.
- Microsoft.OperationalInsights/workspaces/*, Microsoft.Insights/dataCollectionRules/* or Microsoft.Insights/dataCollectionEndpoints/* actions listed in Traffic analytics section.
Action | Description |
Microsoft.Network/networkWatchers/read | Get a network watcher |
Microsoft.Network/networkWatchers/write | Create or update a network watcher |
Microsoft.Network/networkWatchers/delete | Delete a network watcher |
Action | Description |
Microsoft.Network/networkWatchers/connectionMonitors/start/action | Start a connection monitor |
Microsoft.Network/networkWatchers/connectionMonitors/stop/action | Stop a connection monitor |
Microsoft.Network/networkWatchers/connectionMonitors/query/action | Query a connection monitor |
Microsoft.Network/networkWatchers/connectionMonitors/read | Get a connection monitor |
Microsoft.Network/networkWatchers/connectionMonitors/write | Create a connection monitor |
Microsoft.Network/networkWatchers/connectionMonitors/delete | Delete a connection monitor |
Action | Description |
Microsoft.Network/networkWatchers/configureFlowLog/action | Configure a flow Log |
Microsoft.Network/networkWatchers/queryFlowLogStatus/action | Query status for a flow log |
Microsoft.Network/networkSecurityGroups/write 1 | Creates a network security group or updates an existing network security group |
Microsoft.Storage/storageAccounts/listServiceSas/Action, Microsoft.Storage/storageAccounts/listAccountSas/Action, Microsoft.Storage/storageAccounts/listKeys/Action |
Fetch shared access signatures (SAS) enabling secure access to storage account and write to the storage account |
1 Only required with NSG flow logs.
Since traffic analytics is enabled as part of the flow log resource, the following permissions are required in addition to all the required permissions for Flow logs:
Action | Description |
Microsoft.Network/applicationGateways/read | Get an application gateway |
Microsoft.Network/connections/read | Get VirtualNetworkGatewayConnection |
Microsoft.Network/loadBalancers/read | Get a load balancer definition |
Microsoft.Network/localNetworkGateways/read | Get LocalNetworkGateway |
Microsoft.Network/networkInterfaces/read | Get a network interface definition |
Microsoft.Network/networkSecurityGroups/read | Get a network security group definition |
Microsoft.Network/publicIPAddresses/read | Get a public IP address definition |
Microsoft.Network/routeTables/read | Get a route table definition |
Microsoft.Network/virtualNetworkGateways/read | Get a VirtualNetworkGateway |
Microsoft.Network/virtualNetworks/read | Get a virtual network definition |
Microsoft.Network/expressRouteCircuits/read | Get an ExpressRouteCircuit |
Microsoft.OperationalInsights/workspaces/read | Get an existing workspace |
Microsoft.OperationalInsights/workspaces/sharedkeys/action | Retrieve the shared keys for the workspace |
Microsoft.Insights/dataCollectionRules/read 1 | Read a data collection rule |
Microsoft.Insights/dataCollectionRules/write 1 | Create or update a data collection rule |
Microsoft.Insights/dataCollectionRules/delete 1 | Delete a data collection rule |
Microsoft.Insights/dataCollectionEndpoints/read 1 | Read a data collection endpoint |
Microsoft.Insights/dataCollectionEndpoints/write 1 | Create or update a data collection endpoint |
Microsoft.Insights/dataCollectionEndpoints/delete 1 | Delete a data collection endpoint |
1 Only required when using traffic analytics to analyze virtual network flow logs. For more information, see Data collection rules in Azure Monitor and Data collection endpoints in Azure Monitor.
Data collection rule and data collection endpoint resources are created and managed by traffic analytics. If you perform any operation on these resources, traffic analytics may not function as expected.
Management group inherited permissions are currently not supported for enabling traffic analytics.
Action | Description |
Microsoft.Network/networkWatchers/connectivityCheck/action | Initiate a connection troubleshoot test |
Microsoft.Network/networkWatchers/queryTroubleshootResult/action | Query results of a connection troubleshoot test |
Microsoft.Network/networkWatchers/troubleshoot/action | Run a connection troubleshoot test |
Action | Description |
Microsoft.Network/networkWatchers/packetCaptures/queryStatus/action | Query the status of a packet capture |
Microsoft.Network/networkWatchers/packetCaptures/stop/action | Stop a packet capture |
Microsoft.Network/networkWatchers/packetCaptures/read | Get a packet capture |
Microsoft.Network/networkWatchers/packetCaptures/write | Create a packet capture |
Microsoft.Network/networkWatchers/packetCaptures/delete | Delete a packet capture |
Microsoft.Network/networkWatchers/packetCaptures/queryStatus/read | View the status of a packet capture |
Action | Description |
Microsoft.Network/networkWatchers/ipFlowVerify/action | Verify an IP flow |
Action | Description |
Microsoft.Network/networkWatchers/nextHop/action, Microsoft.Network/networkWatchers/nextHop/read |
For a specified target and destination IP address, return the next hop type and next hope IP address |
Microsoft.Compute/virtualMachines/read | Get the properties of a virtual machine |
Microsoft.Network/networkInterfaces/read | Get a network interface definition |
Action | Description |
Microsoft.Network/networkWatchers/securityGroupView/action | View security groups |
Action | Description |
Microsoft.Network/networkWatchers/topology/action | Get topology |
Microsoft.Network/networkWatchers/topology/read | Get topology |
Action | Description |
Microsoft.Network/networkWatchers/azureReachabilityReport/action | Get an Azure reachability report |
Network Watcher capabilities also require the following actions:
Action(s) | Description |
Microsoft.Authorization/*/Read | Fetch Azure role assignments and policy definitions |
Microsoft.Resources/subscriptions/resourceGroups/Read | Enumerate all the resource groups in a subscription |
Microsoft.Storage/storageAccounts/Read | Get the properties for the specified storage account |
Microsoft.Storage/storageAccounts/listServiceSas/Action, Microsoft.Storage/storageAccounts/listAccountSas/Action, Microsoft.Storage/storageAccounts/listKeys/Action |
Fetch shared access signatures (SAS) enabling secure access to storage account and write to the storage account |
Microsoft.Compute/virtualMachines/Read, Microsoft.Compute/virtualMachines/Write |
Log in to the VM, do a packet capture and upload it to storage account |
Microsoft.Compute/virtualMachines/extensions/Read, Microsoft.Compute/virtualMachines/extensions/Write |
Check if Network Watcher extension is present, and install if necessary |
Microsoft.Compute/virtualMachineScaleSets/Read, Microsoft.Compute/virtualMachineScaleSets/Write |
Access virtual machine scale sets, do packet captures and upload them to storage account |
Microsoft.Compute/virtualMachineScaleSets/extensions/Read, Microsoft.Compute/virtualMachineScaleSets/extensions/Write |
Check if Network Watcher extension is present, and install if necessary |
Microsoft.Insights/alertRules/* | Set up metric alerts |
Microsoft.Support/* | Create and update support tickets from Network Watcher |