Below you will find the necessary permissions for the Azure custom integration scripts that we offer. You will see the required permissions, followed by a JSON example of the least privileged permissions required.
Azure Containers
Minimal RBAC actions the app (service principal) must have on the target scope (subscription or specific resource groups):
- Microsoft.ContainerInstance/containerGroups/read — list/read container groups.
- Microsoft.Insights/metrics/read — read metrics for each container group.
Built-in role equivalents (either works):
- Reader (broad read to the scope) or Monitoring Reader (read all monitoring data). Assign to the subscription or RG that holds the ACI groups.
Example custom role JSON (least-privilege):
{
"Name": "Domotz - Azure Containers Read (Least Privilege)",
"IsCustom": true,
"Description": "Allows listing Azure Container Instance groups and reading their metrics for Domotz monitoring.",
"Actions": [
"Microsoft.ContainerInstance/containerGroups/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<SUBSCRIPTION_ID>"
// or narrow to specific RGs:
// "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>"
]
}Azure Daily Billing Costs
Minimal RBAC actions the app (service principal) needs at the subscription scope you’re querying:
- Microsoft.CostManagement/query/action
Built-in role equivalents
- Cost Management Reader (assign at the subscription).
Example custom role JSON (least-privilege):
{
"Name": "Domotz - Azure Cost Query (Least Privilege)",
"IsCustom": true,
"Description": "Allows running Cost Management Query at subscription scope for Domotz daily billing script.",
"Actions": [
"Microsoft.CostManagement/query/action"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<SUBSCRIPTION_ID>"
]
}You can scope the role to specific management groups or subscriptions as needed.
Azure Disks Information
Grant the app (service principal) these RBAC actions at the subscription (or specific RGs that hold the disks):
- Microsoft.Compute/disks/read — list/read disk resources
- Microsoft.Insights/metrics/read — read disk metrics
Built-in roles that work
- Reader (broad read at scope), or
- Monitoring Reader (read all monitoring data)
Example custom role JSON (least privilege):
{
"Name": "Domotz - Azure Disks Read (Least Privilege)",
"IsCustom": true,
"Description": "Allows listing Azure Compute Disks and reading their metrics for Domotz monitoring.",
"Actions": [
"Microsoft.Compute/disks/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<SUBSCRIPTION_ID>"
// or narrow to specific RGs:
// "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>"
]
}Scoping to just the resource groups that contain your disks is fine
Azure Network Interfaces
Grant the app (service principal) read-only rights at the subscription (or specific RGs that contain the NICs):
- Microsoft.Network/networkInterfaces/read — list/read NIC resources
- Microsoft.Insights/metrics/read — read NIC metrics
Built-in role options
- Network Reader + Monitoring Reader (least-privilege combo), or
- Reader (broader read access at the scope)
Example custom role JSON (least privilege):
{
"Name": "Domotz - Azure NIC Read (Least Privilege)",
"IsCustom": true,
"Description": "Allows listing Azure Network Interfaces and reading their metrics for Domotz monitoring.",
"Actions": [
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<SUBSCRIPTION_ID>"
// or narrow to specific RGs:
// "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>"
]
}Scoping to only the resource groups that hold your NICs is fine
Azure Storage Accounts
Grant the app (service principal) read-only rights at the subscription (or specific RGs that contain the storage accounts):
- Microsoft.Storage/storageAccounts/read — list/read storage account resources
- Microsoft.Insights/metrics/read — read storage account metrics
Built-in role options
- Reader (broad read at scope), or
- Monitoring Reader + Reader on only the RGs with storage accounts (least-privilege combo)
Example custom role JSON (least privilege):
{
"Name": "Domotz - Azure Storage Accounts Read (Least Privilege)",
"IsCustom": true,
"Description": "Allows listing Azure Storage Accounts and reading their metrics for Domotz monitoring.",
"Actions": [
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<SUBSCRIPTION_ID>"
// Or narrow to specific RGs:
// "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>"
]
}
Scoping to only the resource groups that hold your storage accounts is perfectly fine
Azure Virtual Machine Scale Sets
Grant the app (service principal) read-only rights where your VMSS live (subscription or specific RGs):
- Microsoft.Compute/virtualMachineScaleSets/read — list/read VMSS resources and properties
- Microsoft.Insights/metrics/read — read VMSS metrics
Built-in role options:
- Reader (broad read) + Monitoring Reader (metrics)
Example custom role JSON (least privilege):
{
"Name": "Domotz - Azure VM Scale Sets Read (Least Privilege)",
"IsCustom": true,
"Description": "Allows listing Azure VM Scale Sets and reading their metrics for Domotz monitoring.",
"Actions": [
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<SUBSCRIPTION_ID>"
// Or narrow scope, e.g.:
// "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>"
]
}Scoping to just the RGs containing the VMSS is fine
Azure VMs List
Minimal Azure permissions (read-only):
- Microsoft.Compute/virtualMachines/read — list/read VM resources and properties
Built-in role option
- Reader at the subscription or specific RGs (broader than needed, but works everywhere).
Least-privilege custom role JSON:
{
"Name": "Domotz - Azure VMs Read (Least Privilege)",
"IsCustom": true,
"Description": "Allows listing Azure Virtual Machines and reading their properties for Domotz monitoring.",
"Actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<SUBSCRIPTION_ID>"
// Or narrow to RG scope:
// "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>"
]
}Azure Virtual Machine Scale Sets Metrics
Grant these at the subscription (or narrower RG) scope:
- Microsoft.Compute/virtualMachineScaleSets/read — list/read VMSS properties (name, RG, OS disk size, controller type, etc.)
- Microsoft.Insights/metrics/read — read VMSS metrics via providers/microsoft.insights/metrics
Built-in role options (easier, broader):
- Reader (subscription/RG): includes both Compute read and Metrics read.
- Or Monitoring Reader + a role that gives virtualMachineScaleSets/read (e.g., Reader).
Custom role JSON:
{
"Name": "Domotz - VMSS Metrics (Least Privilege)",
"IsCustom": true,
"Description": "Read VM Scale Sets and their Azure Monitor metrics for Domotz driver.",
"Actions": [
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<SUBSCRIPTION_ID>"
// or narrow to an RG:
// "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>"
]
}Azure VMs List Metrics
Assign at subscription scope (or narrower RG scope):
- Microsoft.Compute/virtualMachines/read — list VMs and read their properties.
- Microsoft.Compute/virtualMachines/instanceView/read — get instanceView (power state, agent/extensions, OS info).
- Microsoft.Insights/metrics/read — query Azure Monitor metrics for each VM.
Built-in role option:
- Reader at the subscription or specific RGs (broader than needed, but works everywhere).
Custom role JSON:
{
"Name": "Domotz - VM Metrics (Least Privilege)",
"IsCustom": true,
"Description": "Read Azure VM resources, instance view, and Azure Monitor metrics for Domotz driver.",
"Actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<SUBSCRIPTION_ID>"
// or narrow to one RG:
// "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>"
]
}