This KB is for immediate information as we are updating our documentation.
Using the Azure "Reader" role for ServiceNow Cloud Discovery is supported.
Currently the ServiceNow Kingston doc titled "Create credentials for cloud discovery" has a section called "Create credentials for an Azure cloud discovery". The same holds true for our London doc and version of ServiceNow.
In this section it states "On the Azure portal, the Active Directory administrator or Azure administrator role is required" and there seems to be a bit of confusion around Azure "roles" and what is required to use ServiceNow Cloud Discovery to discover your Azure environment.
The intention of "On the Azure portal, the Active Directory administrator or Azure administrator role is required" is to explain that you need an Azure user with the "Contributor" role.
Our customers have asked to use the "Reader" role instead of the "Contributor" role as it has less privileges.
Azure includes several built-in roles that you can use. The following lists four fundamental built-in roles.
- Owner - Has full access to all resources including the right to delegate access to others and lets you manage everything, including access to resources.
- Contributor - Can create and manage all types of Azure resources but can’t grant access to others and lets you manage everything, except access to resources
- Reader - Can view existing Azure resources and lets you manage everything, but not make any changes.
- User Access Administrator - Lets you manage user access to Azure resources.
Owner, Contributor, and Reader apply to all resource types.
A bit of history on Azure and Roles
When Azure was released there were only 3 administrator roles which were Account Administrator, Service Administrator, and Co-Administrator. As the Azure evolved, Microsoft introduced role-based access control (RBAC) which is provides much more granular access. RBAC has many built-in roles and allows you to create custom roles.
Managing Azure Active Directory
To manage resources in Azure AD, such as users, groups, and domains, there are several Azure AD administrator roles.
The following diagram is a high-level view of how the classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles are related.