Admin consent regrant for Microsoft Azure application¶
As part of a Microsoft Azure tenant onboarding, an Entra ID Global Administrator should grant the Afi application a set of permissions to access the tenant's resources and data. To do it, Afi requests the Azure Resource Manager and Entra ID access from the administrator and then, upon a consent, proceeds to provision the service principal role assignments with the permissions listed in the table below for the tenant's root management group or for the subscriptions where the administrator has the Owner role.
Info
If an administrator user who performs the onboarding doesn't have access to the tenant's root management group, Afi will automatically fallback to provisioning the service principal role assignments only for the subscriptions which are owned by the administrator. Please note that in this case the Afi application won't be able to automatically discover new Azure subscriptions created in this tenant.
Info
To allow the Afi application to access all Azure subscriptions in a tenant, including the newly created ones as well as the ones which are not owned by an administrator who grants the access, the administrator can temporarily elevate their access to manage all subscriptions and management groups under their Azure tenant as described in the following article.
Occasionally, Afi needs to update the set of permissions used by its service principal to provide improved and more comprehensive support for Microsoft Azure Compute infrastructure backup and recovery, as well as to support new workloads such Azure Databases (coming in H1 2025). In such cases, Afi will suggest you to grant the additional permissions by consenting to the application to update the service principal role assignments.
To regrant a consent and update Afi permissions, please go to the Service → Settings → Admin consent tab and click on the Regrant button:
Permissions change history¶
Below is a history of changes to Azure permissions granted to the Afi service principal during an Azure tenant onboarding or a consent regrant:
Date | Permissions added | Impact |
---|---|---|
14 Dec 2024 | Microsoft.Authorization/*/read | Query access-related information |
14 Dec 2024 | Microsoft.Management/managementGroups/read | Allow to list management groups |
14 Dec 2024 | Microsoft.Management/managementGroups/descendants/read | Get all the descendants (management groups, subscriptions) of a management group |
14 Dec 2024 | Microsoft.Management/managementGroups/subscriptions/read | List subscription under the given management group |
14 Dec 2024 | Microsoft.Management/getEntities/action | List all Microsoft.Management service entities (management groups, subscriptions, etc.) |
14 Dec 2024 | Microsoft.Resources/subscriptions/read | Get the list of subscriptions |
14 Dec 2024 | Microsoft.Resources/subscriptions/locations/read | Get the list of supported locations |
14 Dec 2024 | Microsoft.Resources/subscriptions/resourceGroups/* |
Get or list resource groups. Get, list, and manage deployments |
14 Dec 2024 | Microsoft.ResourceHealth/* | Get health state and availability status for a resource |
14 Dec 2024 | Microsoft.Compute/* | Access and manage Azure Compute resources |
14 Dec 2024 | Microsoft.Network/* | Get properties for Azure Networking resources and manage them |
14 Dec 2024 | Microsoft.KeyVault/* | List and manage Azure KeyVault resources |