Share This:

We've had a number of questions about the permissions that BMC Discovery requires to fully discover Storage resources in Microsoft Azure, so I thought I would try and explain the situation.


Like every other system we can discover, BMC Discovery only needs read access to resources in Microsoft Azure. Helpfully, Microsoft provides a Reader role which gives read only access to all resources. Excellent, that's exactly what we need ...


However, in turns out that some Azure Storage values we would like to collect aren't directly available via the Azure Resource Manager API, specifically the size and encryption (D@RE) parameters for virtual hard disks (VHDs). For VMs which use VHDs (not Managed Disks) we have to query the Blob properties directly from Azure Storage. To do this, we must properly sign the request and that requires a Storage Key.


The Azure Resource Manager API provides a method to retrieve the keys, but this isn't covered by the Reader role, so Discovery needs the Microsoft.Storage/storageAccounts/listKeys/action permission. These keys provide Full Access to the storage resources so, in theory, these could be used to modify or even delete Storage Blobs. However, like any other credential, Discovery does not expose these keys to the user: there is no way to retrieve and use them in a pattern for example. Internally, Discovery retrieves the key when certain Azure Storage read operations are needed.


Microsoft's approach to this problem is to use Shared Access Signatures (SAS). However, for this to work for Discovery, we would need a SAS token for each Storage Account, which is a large configuration burden.


So, to sum up:


We need the Storage Keys to get size and encryption (D@RE) values for VHDs used by VMs. If you don't grant this permission (i.e. just use the Reader role), then the values will be missing. Discovery will still perform all other Azurescanning. You ONLY need to grant the permission if size and D@RE for VHDs is important to you.


If you are using Managed Disks, then BMC Discovery does not need the Microsoft.Storage/storageAccounts/listKeys/action permission - the Managed Disk API allows us to read all the values we want.


I hope this helps clarify the situation.