Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure role-based access control (Azure RBAC) enables you to assign only the specific actions to members of your organization that they require to complete their assigned responsibilities.
To use Azure Network Watcher capabilities, the account you log into Azure with, must be assigned to the Owner, Contributor, or Network contributor built-in roles, or assigned to a custom role that includes the actions listed for the Network Watcher capability that you want to use.
Important
Network contributor doesn't include the following actions:
- Microsoft.Storage/* actions listed in Additional actions or Flow logs section.
- Microsoft.Compute/* actions listed in Additional actions section.
- Microsoft.OperationalInsights/workspaces/*, Microsoft.Insights/dataCollectionRules/* or Microsoft.Insights/dataCollectionEndpoints/* actions listed in Traffic analytics section.
To learn how to check roles assigned to a user for a subscription, see List Azure role assignments using the Azure portal. If you can't see the role assignments, contact the respective subscription admin.
The following sections list the minimum required permissions to use Network Watcher and its capabilities. For a full list of related Azure permissions, see Microsoft.Network permissions, Microsoft.Compute permissions, Microsoft.Storage permissions, Microsoft.Insights permissions, and Microsoft.OperationalInsights permissions.
Network Watcher
| Action | Description | 
|---|---|
| Microsoft.Network/networkWatchers/read | Get a network watcher | 
| Microsoft.Network/networkWatchers/write | Create or update a network watcher | 
| Microsoft.Network/networkWatchers/delete | Delete a network watcher | 
Connection monitor
| Action | Description | 
|---|---|
| Microsoft.Network/networkWatchers/connectionMonitors/start/action | Start a connection monitor | 
| Microsoft.Network/networkWatchers/connectionMonitors/stop/action | Stop a connection monitor | 
| Microsoft.Network/networkWatchers/connectionMonitors/query/action | Query a connection monitor | 
| Microsoft.Network/networkWatchers/connectionMonitors/read | Get a connection monitor | 
| Microsoft.Network/networkWatchers/connectionMonitors/write | Create a connection monitor | 
| Microsoft.Network/networkWatchers/connectionMonitors/delete | Delete a connection monitor | 
Flow logs
| Action | Description | 
|---|---|
| Microsoft.Network/networkWatchers/flowLogs/read | Get flow log details | 
| Microsoft.Network/networkWatchers/flowLogs/write | Creates a flow log | 
| Microsoft.Network/networkWatchers/flowLogs/delete | Deletes a flow log | 
| Microsoft.Network/networkWatchers/configureFlowLog/action | Configure a flow Log | 
| Microsoft.Network/networkWatchers/queryFlowLogStatus/action | Query status for a flow log | 
| Microsoft.Network/networkSecurityGroups/write 1 | Creates a network security group or updates an existing network security group | 
| Microsoft.Storage/storageAccounts/listServiceSas/Action, Microsoft.Storage/storageAccounts/listAccountSas/Action, Microsoft.Storage/storageAccounts/listKeys/Action | Fetch shared access signatures (SAS) enabling secure access to storage account and write to the storage account | 
1 Only required with NSG flow logs.
Traffic analytics
Since traffic analytics is enabled as part of the flow log resource, the following permissions are required in addition to all the required permissions for Flow logs:
| Action | Description | 
|---|---|
| Microsoft.Network/applicationGateways/read | Get an application gateway | 
| Microsoft.Network/connections/read | Get VirtualNetworkGatewayConnection | 
| Microsoft.Network/expressRouteCircuits/read | Get an ExpressRouteCircuit | 
| Microsoft.Network/loadBalancers/read | Get a load balancer definition | 
| Microsoft.Network/localNetworkGateways/read | Get LocalNetworkGateway | 
| Microsoft.Network/networkInterfaces/read | Get a network interface definition | 
| Microsoft.Network/networkSecurityGroups/read | Get a network security group definition | 
| Microsoft.Network/publicIPAddresses/read | Get a public IP address definition | 
| Microsoft.Network/routeTables/read | Get a route table definition | 
| Microsoft.Network/virtualNetworkGateways/read | Get a VirtualNetworkGateway | 
| Microsoft.Network/virtualNetworks/read | Get a virtual network definition | 
| Microsoft.Compute/virtualMachines/read | Get the properties of a virtual machine | 
| Microsoft.Compute/virtualMachineScaleSets/read | Get the properties of a Virtual Machine Scale Set | 
| Microsoft.OperationalInsights/workspaces/read | Get an existing workspace | 
| Microsoft.OperationalInsights/workspaces/sharedkeys/action | Retrieve the shared keys for the workspace | 
| Microsoft.Insights/dataCollectionRules/read 1 | Read a data collection rule | 
| Microsoft.Insights/dataCollectionRules/write 1 | Create or update a data collection rule | 
| Microsoft.Insights/dataCollectionRules/delete 1 | Delete a data collection rule | 
| Microsoft.Insights/dataCollectionEndpoints/read 1 | Read a data collection endpoint | 
| Microsoft.Insights/dataCollectionEndpoints/write 1 | Create or update a data collection endpoint | 
| Microsoft.Insights/dataCollectionEndpoints/delete 1 | Delete a data collection endpoint | 
1 Required on the Log Analytics workspace subscription when using traffic analytics with virtual network flow logs.
Caution
Traffic analytics creates and manages data collection rule (DCR) and data collection endpoint (DCE) resources in the same resource group as the Log Analytics workspace, prefixed with NWTA. If you perform any operation on these resources, traffic analytics might not function as expected.
Important
Management group inherited permissions are currently not supported for enabling traffic analytics.
Connection troubleshoot
| Action | Description | 
|---|---|
| Microsoft.Network/networkWatchers/connectivityCheck/action, Microsoft.Network/networkWatchers/connectivityCheck/read | Verify the possibility of establishing a direct TCP connection from a virtual machine to a given endpoint | 
| Microsoft.Network/networkWatchers/queryTroubleshootResult/action | Query results of a connection troubleshoot test | 
| Microsoft.Network/networkWatchers/troubleshoot/action | Run a connection troubleshoot test | 
Packet capture
| Action | Description | 
|---|---|
| Microsoft.Network/networkWatchers/packetCaptures/queryStatus/action | Query the status of a packet capture | 
| Microsoft.Network/networkWatchers/packetCaptures/stop/action | Stop the running packet capture session | 
| Microsoft.Network/networkWatchers/packetCaptures/read | Get a packet capture definition | 
| Microsoft.Network/networkWatchers/packetCaptures/write | Create a packet capture | 
| Microsoft.Network/networkWatchers/packetCaptures/delete | Delete a packet capture | 
| Microsoft.Network/networkWatchers/packetCaptures/queryStatus/read | View the status of a packet capture | 
IP flow verify
| Action | Description | 
|---|---|
| Microsoft.Network/networkWatchers/ipFlowVerify/action, Microsoft.Network/networkWatchers/ipFlowVerify/read | Returns whether the packet is allowed or denied to or from a particular destination | 
Next hop
| Action | Description | 
|---|---|
| Microsoft.Network/networkWatchers/nextHop/action, Microsoft.Network/networkWatchers/nextHop/read | For a specified target and destination IP address, return the next hop type and next hope IP address | 
| Microsoft.Compute/virtualMachines/read | Get the properties of a virtual machine | 
| Microsoft.Network/networkInterfaces/read | Get a network interface definition | 
Network security group view
| Action | Description | 
|---|---|
| Microsoft.Network/networkWatchers/securityGroupView/action | View the configured and effective network security group rules applied on a virtual machine | 
Topology
| Action | Description | 
|---|---|
| Microsoft.Network/networkWatchers/topology/action, Microsoft.Network/networkWatchers/topology/read | Get a network level view of resources and their relationships in a resource group | 
Reachability report
| Action | Description | 
|---|---|
| Microsoft.Network/networkWatchers/azureReachabilityReport/action | Get the relative latency score for internet service providers from a specified location to Azure regions | 
Additional actions
Some Network Watcher capabilities require the following actions:
| Action | Description | 
|---|---|
| Microsoft.Authorization/*/Read | Fetch Azure role assignments and policy definitions | 
| Microsoft.Resources/subscriptions/resourceGroups/Read | Enumerate all the resource groups in a subscription | 
| Microsoft.Storage/storageAccounts/Read | Get the properties for the specified storage account | 
| Microsoft.Storage/storageAccounts/listServiceSas/Action, Microsoft.Storage/storageAccounts/listAccountSas/Action, Microsoft.Storage/storageAccounts/listKeys/Action | Fetch shared access signatures (SAS) enabling secure access to storage account and write to the storage account | 
| Microsoft.Compute/virtualMachines/Read, Microsoft.Compute/virtualMachines/Write | Log in to the VM, do a packet capture and upload it to storage account | 
| Microsoft.Compute/virtualMachines/extensions/Read, Microsoft.Compute/virtualMachines/extensions/Write | Check if Network Watcher extension is present, and install if necessary | 
| Microsoft.Compute/virtualMachineScaleSets/Read, Microsoft.Compute/virtualMachineScaleSets/Write | Access virtual machine scale sets, do packet captures and upload them to storage account | 
| Microsoft.Compute/virtualMachineScaleSets/extensions/Read, Microsoft.Compute/virtualMachineScaleSets/extensions/Write | Check if Network Watcher extension is present, and install if necessary | 
| Microsoft.Insights/alertRules/* | Set up metric alerts | 
| Microsoft.Support/* | Create and update support tickets from Network Watcher |