Is it possible to limit the resource groups that are subject to Azure Cloud Discovery?

rnd-kumano · ‎12-21-2023

There are multiple resource groups in the Azure subscription, but only one of them is the resource we want to scan with Discovery this time.
We do not want to have asset information for other resource groups in ServiceNow for security reasons.

Is it possible to limit the resource groups in Cloud Discovery as described above?

1. create a service principal in Azure.
2. assign a viewer role with a specific resource group as scope.
3. register Discovery credentials. (Azure Service Principal)
4. Run "Discover Subscriptions.

This resulted in an error "Azure Datacenter.ListSubscriptions.Azure Datacenter.Compute Interface.ListSubscriptions - Error" and no subscriptions were obtained.

Is it wrong to limit the scope of the service principal's authority in a limited way?

#Discovery

#Cloud Discovery

#Azure

Niklas Peterson · ‎12-22-2023

Hi,

Yes, but your Service Principal in Azure needs to have access to the subscription but not the Resource Groups you want to exclude. If you restrict it to only the resource group it will not be able to scan the subscription which I think is where you get the errror.

Try to give access to the Service Principal on subscription level and then add Deny Assignment in IAM for the resource groups you want to exclude.

Regards,
Niklas

View solution in original post

Niklas Peterson · ‎12-22-2023

Hi,

Yes, but your Service Principal in Azure needs to have access to the subscription but not the Resource Groups you want to exclude. If you restrict it to only the resource group it will not be able to scan the subscription which I think is where you get the errror.

Try to give access to the Service Principal on subscription level and then add Deny Assignment in IAM for the resource groups you want to exclude.

Regards,
Niklas

rnd-kumano · ‎12-27-2023

Thanks for the answer.
I will try it that way.