Azure Service Principle
Permissions for the azure service principle
This document specifies the exact permissions required for each service principal PAA uses. Granting more than the listed permissions is unnecessary. Granting less will cause partial or complete scan failures.
1. Azure Service Principal
Purpose
Used by Health Checks, Cost Intelligence, Change Monitor (drift detection), and the RBAC Audit. PAA uses this service principal to query Azure Resource Graph and the Azure Cost Management API.
Where to Configure
Settings > Azure
Required Azure RBAC Roles
Assign these roles to the service principal on each subscription you want PAA to scan.
| Role | Scope | Required For |
|---|---|---|
| Reader | Per subscription | All Health Check scanning (Resource Graph queries, resource health, tag compliance, encryption, storage security, naming, resource locks, network security) |
| Cost Management Reader | Per subscription | Cost Intelligence (spend data, trends, budgets, recommendations) |
Both roles must be assigned at the subscription level (not resource group level) for Resource Graph cross-subscription queries to work correctly.
Minimum viable configuration: Reader only. Cost Intelligence will be unavailable without Cost Management Reader.
How to Create the Service Principal
- In Azure Portal, open Microsoft Entra ID > App Registrations > New Registration
- Name it (e.g.,
paa-scanner) and register - Under Certificates & Secrets, create a new Client Secret. Note the value immediately — it is only shown once
- Note the Application (client) ID and Directory (tenant) ID from the Overview page
- In each target subscription, open Access Control (IAM) > Add Role Assignment
- Assign Reader to the service principal
- Repeat for Cost Management Reader on the same subscriptions
- In PAA Settings > Azure, enter the Tenant ID, Client ID, and Client Secret, then click Test Connection
What PAA Does with This Service Principal
| Scan Area | API Used | Permission Required |
|---|---|---|
| Resource health, orphaned resources, tags, encryption, locks, naming, storage security | Azure Resource Graph | Reader |
| Network security groups, firewall rules | Azure Resource Graph | Reader |
| Diagnostic settings audit | Azure Resource Graph | Reader |
| RBAC role assignments and custom roles | Azure Resource Graph (AuthorizationResources) | Reader |
| Management group hierarchy | Azure Resource Manager | Reader |
| Azure Policy compliance | Azure Resource Graph | Reader |
| Cost trends, spend breakdown, budgets | Azure Cost Management API | Cost Management Reader |
| Cost-based optimization recommendations | Azure Cost Management API | Cost Management Reader |
Notes
- The service principal only needs read access. PAA does not make changes to your Azure environment.
- If a subscription uses the Free or Dev/Test offer type, the Cost Management API may return 404 for that subscription. This is an Azure limitation — Reader is still needed for Resource Graph scanning on that subscription.
- Management group queries work across all subscriptions the service principal can read. If you want to limit scanning to specific subscriptions, configure this under Settings > Azure > Subscriptions to Scan.
Platform Architecture Authority — Crimson Owl Technologies Last updated: March 2026
