Configure Subscription access to view Security advisories

To access and view Security advisories, you must have the correct role access. This article describes the steps to create tenant or subscription - based access.

Subscription‑based access means you can only see Security Advisories that apply to the specific Azure subscription you’re permitted to view.

Tenant-based access applies to the entire Microsoft Entra ID tenant, meaning it covers all subscriptions in that organization.

Subscription-based access

The following steps explain how to set up a subscription to view Security advisories.

1. Access the Azure portal
Log into the Azure portal and navigate to the Subscriptions section.

A screenshot of Azure portal to select and open the subscription panel.

2. Select the Subscription

Choose the subscription that you want to manage for Security advisory access.

A screenshot of subscription panel.

3. Navigate to Access control (IAM)

Select Access control (IAM) to manage user roles.

A screenshot of the Access control screen panel.

4. Add the role assignment

Select Add role assignment to assign the necessary roles.
Users must have elevated roles such as Owner or Contributor to view sensitive information in Security advisories. Only users with elevated roles can access sensitive information on the Summary, Issue updates, and Impacted resources tabs.

A screenshot of menu to add a role.

5. Verify the user roles

Ensure that the user you're assigning has the appropriate Role-Based Access Control (RBAC) permissions.
Users with only reader access can't view sensitive details unless they're assigned the appropriate elevated permissions.

  • The Reader role can only view.
  • The Contributor role:
    • Can create, modify, and delete any Azure resource in the subscription.
    • Can deploy and manage Virtual Machines (VMs), storage accounts, networks, and functions
    • Can't manage Access control Identity & Access Management (IAM)
  • The Co-administrator role:
    • Can view, modify resources, Manage access control (IAM) with almost the same access as a full subscription.
    • Can't change the service administrator for a subscription.
  • The Custom Role:
    • You or your subscription administrator define the permissions for this role.

6. Update the email addresses

To ensure that security notifications are received, verify that the email address associated with the user is current follow these steps.

  1. Navigate to Microsoft Entra ID.
  2. Select Users.
  3. Check the user’s profile for the correct email address.

Make sure that the Subscription Administrator and Tenant Global Admin roles have the right contact information to receive notifications for security issues impacting at the subscription and tenant levels. For more information about assigning roles in Azure, see Assign Azure roles using the Azure portal.

Tenant-based access

Tenant admin access in Azure refers to the permissions granted to roles that allow users to manage and view resources at the tenant level.
These roles include Global Administrator, Application Administrator, and others. Tenant admin access enables users to manage users, groups, and permissions within the organization, and view tenant-level events in the Azure Service Health portal.

Note

Tenant-level alerts require tenant admin-level read access.

1. Identify who needs tenant-level access

Determine which users or teams require visibility into:

  • Organization-wide security advisories
  • Sensitive advisory details (Summary, Issue Updates, Impacted Resources)

    [!NOTE:] Only tenant admin level roles can view tenant scoped security advisories. For more information on who can access Security advisories, see Who can view Security advisories.

2. Access the Azure portal
Log into the Azure portal and navigate to the Microsoft Entra ID section.

A screenshot of the portal with Microsoft Entra ID sign-in.

3. Add Roles and administrators
Select Roles and administrators from the side panel.

A screenshot of the Roles and administrators panel.

4. Select the role
Select the role directly to open a new window.

A screenshot of the list of roles to choose from.

5. Add Assignment

On this panel there are three tabs, Eligible assignments, Active assignments and Expired assignments. Select + Add assignments.

A screenshot of panel showing assignments for this role.

  1. A new pane appears where you choose who should receive this role. Use the search box to find:
  • A user account
  • A Microsoft 365 group
  • An application / service principal (if you're assigning to identity app)
  1. Select the correct identity from the results.

Tip

Only groups and people who can be assigned appear on the list.

6. Confirm the assignment

  1. Select Next (if prompted).
  2. Select Assign.
  3. The user/group/app appears under the role's Assignments tab.

7. Verify the permissions (Optional)

  1. Sign out and then sign in again.
  2. Confirm the access to the feature they need (for instance viewing tenant-level Security advisories in Service health).
  • Last updated on