Invoices


The Azure tenant agent must have the Billing Reader role to read the invoices optional component.



Management Groups


The Azure tenant agent must have the following right to read the management groups optional component

      Microsoft.Management/managementGroups/read over scope /providers/Microsoft.Management

       For more information see the error reading management groups support article.



Storage Accounts (Access Keys)


The Azure tenant agent must have the Storage Account Key Operator Service role or following right to read the Storage Accounts (Access Keys) optional component.

      Microsoft.Storage/storageAccounts/listKeys/action



Virtual Machines (Screenshot)


The Azure tenant agent must have the following right to read the Virtual Machines (Screenshot) optional component.

      Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action



Web Apps (Application Settings)


The Azure tenant agent must have the Website Contributor role or following right to read the Web Apps (Application Settings) optional component.

      Microsoft.Web/sites/config/list/action over the config/appsettings scope.



Web Apps (FTP Publishing Settings Password)


The Azure tenant agent must have the Website Contributor role or following right to read the Web Apps (FTP Publishing Settings Password) optional component.

      Microsoft.Web/sites/config/list/action over the config/publishingCredentials scope.