CloudMonix needs to be granted access to Azure in order to access diagnostic data and execute actions via ARM API. The access is automatically granted during configuration via Setup Wizard.
By default a new AD principal is created for CloudMonix with Contributor privileges. The permission level can be downgraded to Reader, but it is important to understand the differences between them and consequences of modifying privileges levels.
The Contributor can manage everything except of access. That means it can create and manage resources of all types, e.g. add and remove VMs, SQL databases, Websites, Azure Service Bus. However, Contributor can’t manage roles and roles assignments, so they can’t add or remove other users and control user permissions. The Reader can view all data but can’t make any modifications.
To learn more about Azure roles see Get started with access management in the Azure portal and RBAC: Built-in roles articles.
CloudMonix features NOT available with Reader privileges
When CloudMonix is granted Reader privileges it can view Azure’s data, but can’t execute any changes to Azure environment.
This means that, in addition to not being able to execute any of the Azure automation actions, CloudMonix will also not be able to instrument Azure VMs with proper diagnostic configurations, so resources have to be configured manually. It still can execute non-Azure actions, e.g. run PowerShell scripts through its Agent, post data to API endpoints, execute SQL scripts, etc.
CloudMonix features that will NOT work with Reader privileges:
Automatically instrumenting diagnostics for VMs and Cloud Services
Reboots and resize of VMs through Azure
Automated start & shutdown of VMs
Recycling of Azure Web Apps
Auto-scaling of Web Apps and Cloud Services
Kicking off Azure Automation Runbooks
Other Azure-specific automation actions
Downgrading CloudMonix privileges to the Reader level
During configuration CloudMonix will be granted Contributor privileges. The privileges can be downgraded after the configuration via Setup Wizard, because CloudMonix needs to be authorized to access Azure resources.
It’s also recommended to complete the installation before downgrading privileges, in order to allow CloudMonix to instrument Diagnostics Extensions. It is possible to manage Diagnostics Extensions configuration and prevent CloudMonix from modifying it, however in such situation users need to manually add all metrics and specify Diagnostics storage account.
In order to downgrade CloudMonix privileges to Reader:
Go to the new Azure portal and search for Subscriptions.
Select the subscription that CloudMonix has access to. Then open the Access Control (IAM) tab and click CloudMonix principal.
Finally, remove the CloudMonix with Contributor user privileges and add a new CloudMonix user with Reader privileges.
CloudMonix needs at the minimum the Reader privilege in order to access monitoring data. In case a fine-grained control over resources is required, the Contributor/Reader privilege can be given only to certain resources.