Skip to content

Admin consent regrant for Microsoft Azure application

As part of a Microsoft Azure tenant onboarding, an Entra ID Global Administrator should grant the Afi application a set of permissions to access the tenant's resources and data. To do it, Afi requests the Azure Resource Manager and Entra ID access from the administrator and then, upon a consent, proceeds to provision the service principal role assignments with the permissions listed in the table below for the tenant's root management group or for the subscriptions where the administrator has the Owner role.

Info

If an administrator user who performs the onboarding doesn't have access to the tenant's root management group, Afi will automatically fallback to provisioning the service principal role assignments only for the subscriptions which are owned by the administrator. Please note that in this case the Afi application won't be able to automatically discover new Azure subscriptions created in this tenant.

Info

To allow the Afi application to access all Azure subscriptions in a tenant, including the newly created ones as well as the ones which are not owned by an administrator who grants the access, the administrator can temporarily elevate their access to manage all subscriptions and management groups under their Azure tenant as described in the following article.

Occasionally, Afi needs to update the set of permissions used by its service principal to provide improved and more comprehensive support for Microsoft Azure Compute infrastructure backup and recovery, as well as to support new workloads such Azure Databases (coming in H1 2025). In such cases, Afi will suggest you to grant the additional permissions by consenting to the application to update the service principal role assignments.

To regrant a consent and update Afi permissions, please go to the Service → Settings → Admin consent tab and click on the Regrant button:

Permissions change history

Below is a history of changes to Azure permissions granted to the Afi service principal during an Azure tenant onboarding or a consent regrant:

DatePermissions addedImpact
14 Dec 2024 Microsoft.Authorization/*/read Query access-related information
14 Dec 2024 Microsoft.Management/managementGroups/read Allow to list management groups
14 Dec 2024 Microsoft.Management/managementGroups/descendants/read Get all the descendants (management groups, subscriptions) of a management group
14 Dec 2024 Microsoft.Management/managementGroups/subscriptions/read List subscription under the given management group
14 Dec 2024 Microsoft.Management/getEntities/action List all Microsoft.Management service entities (management groups, subscriptions, etc.)
14 Dec 2024 Microsoft.Resources/subscriptions/read Get the list of subscriptions
14 Dec 2024 Microsoft.Resources/subscriptions/locations/read Get the list of supported locations
14 Dec 2024 Microsoft.Resources/subscriptions/resourceGroups/* Get or list resource groups.
Get, list, and manage deployments
14 Dec 2024 Microsoft.ResourceHealth/* Get health state and availability status for a resource
14 Dec 2024 Microsoft.Compute/* Access and manage Azure Compute resources
14 Dec 2024 Microsoft.Network/* Get properties for Azure Networking resources and manage them
14 Dec 2024 Microsoft.KeyVault/* List and manage Azure KeyVault resources