Optional Additional Permissions
Invoices
The Azure tenant agent must have the Billing Reader role to read the invoices optional component.
Management Groups
The Azure tenant agent must have the following right to read the management groups optional component.
Microsoft.Management/managementGroups/read over scope /providers/Microsoft.Management
For more information see the error reading management groups support article.
Storage Accounts (Access Keys)
The Azure tenant agent must have the Storage Account Key Operator Service role or following right to read the Storage Accounts (Access Keys) optional component.
Microsoft.Storage/storageAccounts/listKeys/action
Virtual Machines (Screenshot)
The Azure tenant agent must have the following right to read the Virtual Machines (Screenshot) optional component.
Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action
Web Apps (Application Settings)
The Azure tenant agent must have the Website Contributor role or following right to read the Web Apps (Application Settings) optional component.
Microsoft.Web/sites/config/list/action over the config/appsettings scope.
Web Apps (FTP Publishing Settings Password)
The Azure tenant agent must have the Website Contributor role or following right to read the Web Apps (FTP Publishing Settings Password) optional component.
Microsoft.Web/sites/config/list/action over the config/publishingCredentials scope.