Contents x
    Permissions for Service Principal
    • 26 Sep 2025
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Permissions for Service Principal

    • Updated on 26 Sep 2025
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Below is a list of the permissions Turbo360 requires for the App Registration used to connect to Azure.

    Minimum Permissions

    Azure RBAC Permission

    Allows you to use below features

    Notes

    Reader

    • Import cost data

    • Analysis

      • View cost data

      • Single view of a resource

    • Monitoring

      • Setup Monitoring

      • Use the budget planner

      • Use anomaly detection

    • Reports

      • Setup reports

    • Optimization

      • Get rightsizing recommendations (basic & advanced)

      • Get other recommendations

      • Basic rightsizing recommendations

      • Basic savings plan recommendations

    • Applied at subscription or management group level

    Recommended Additional Permissions

    The below permissions are recommended to use with Turbo360.  

    Azure RBAC Permission

    Allows you to use below features

    Notes

    Reservation Reader

    • View existing reservations

    • Get advanced recommendations

    • Monitor reservation expiry

    • Monitor reservation usage

    • Reservations within the Potential Savings Report

    • Reservations within the executive summary report

    • Deeper analysis on the use of reservations

    • Search for the reservations in Azure portal search and apply via the role assignments in this area (note its not applied as a subscription based permission)

    Savings Plan Reader

    • View existing savings plans

    • Monitor savings plan expiry

    • Monitor savings plan utilization

    • Search for the savings plans in Azure portal search and apply via the role assignments in this area (note its not applied as a subscription based permission)

    Optional Permissions (depending on features you will use)

    The below features require additional permissions.  These features can be chosen to be used as an optional feature.

    Feature

    Required Permission

    Notes

    Alternative Approach

    Advanced Rightsizing - Apply Now

    • Appropriate Contributor permission for resource rightsizing (see below table)

    • Can be applied at resource level for least privilege

    • Trigger a notification to your help desk system from Turbo360 to create a ticket and implement change via an existing process you have

    Advanced Rightsizing - Schedule to Apply out of hours

    • Appropriate Contributor permission for resource rightsizing (see below table)

    • Can be applied at resource level for least privilege

    • Trigger a notification to your help desk system from Turbo360 to create a ticket and implement change via an existing process you have

    Scheduler

    • Appropriate Contributor permission for resource resized or shut down (see below table)

    • Can be applied at resource level for least privilege

    • None - In this case you are choosing not to use this feature.

    Workflow - Stop VM

    • Virtual Machine Contributor

    • Can be applied at resource level for least privilege

    • None - In this case you are choosing not to use this feature.

    Workflow - Storage workflows

    • Can be applied at resource level for least privilege

    • None - In this case you are choosing not to use this feature.

    Least Privilege Resource Level Permissions

    While some customers may choose to give the app registration Contributor permission to the resource they wish to manage we prefer a least priviledge approach.  To achieve this you would do the following:

    • Assign the lowest RBAC permission to achieve the job

    • Assign the permission at resource level

    These permissions would be applicable to the following features in Turbo360 you may use:

    • Advanced Rightsizing Recommendations (apply now or schedule action)

    • Workflows

    • Scheduler

    Below are a list of the permissions used for each of the key actions.

    Resource Type

    Action

    Required provider operation(s)

    Smallest built-in role(s)

    VM

    Turn on

    Microsoft.Compute/virtualMachines/start/action

    Virtual Machine Contributor

    VM

    Turn off (deallocate)

    Microsoft.Compute/virtualMachines/deallocate/action

    Virtual Machine Contributor

    VM

    Resize (change size)

    Microsoft.Compute/virtualMachines/write (typically also needs deallocate/start)

    Virtual Machine Contributor

    VM Scale set

    Turn on (set)

    Microsoft.Compute/virtualMachineScaleSets/start/action

    Virtual Machine Scale Set Contributor or VM Contributor

    VM Scale set

    Turn off (set)

    Microsoft.Compute/virtualMachineScaleSets/virtualMachines/deallocate/action

    VMSS Contributor or VM Contributor

    VM Scale set

    Change SKU/size (model)

    Microsoft.Compute/virtualMachineScaleSets/write

    VMSS Contributor

    App Service Plan

    Resize (SKU/size/instances)

    Microsoft.Web/serverfarms/write

    Web Plan Contributor

    SQL Database

    Resize (DTU/vCore, SLO)

    Microsoft.Sql/servers/databases/write

    SQL DB Contributor

    SQL Elastic Pool

    Resize

    Microsoft.Sql/servers/elasticPools/write

    SQL Elastic Pool Contributor

    SQL Managed Instance

    Resize (vCores/storage)

    Microsoft.Sql/managedInstances/write

    SQL Managed Instance Contributor

    Data Factory

    Disable pipeline trigger

    Microsoft.DataFactory/factories/triggers/stop/action

    Data Factory Contributor

    Data Factory

    Enable pipeline trigger

    Microsoft.DataFactory/factories/triggers/start/action

    Data Factory Contributor

    Synapse (pipelines)

    “Pause” (disable triggers)

    Synapse workspace RBAC: enable/disable via Synapse Contributor / Artifact Publisher

    (Synapse roles, not Azure RBAC)

    Logic App (Consumption)

    Enable workflow

    Microsoft.Logic/workflows/enable/action, …/disable/action

    Logic App Operator

    Logic App (Consumption)

    Disable workflow

    Microsoft.Logic/workflows/disable/action

    Logic App Operator

    Cosmos DB – Table API

    Change table RU/s

    Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/write

    DocumentDB Account Contributor

    Cosmos DB – SQL (NoSQL) container

    Change container RU/s

    Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/write

    DocumentDB Account Contributor

    Cosmos DB – SQL (NoSQL) database

    Change database RU/s

    Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/write

    DocumentDB Acc

    Custom Role

    If you wanted to create a custom role for Turbo360 to be able to perform rightsizing and scheduling activities then you might consider the following example.

    {
  "Name": "Turbo360 Rightsizing and Scheduler",
  "IsCustom": true,
  "Description": "Least-privilege ops to start/stop/resize For Turbo360",
  "Actions": [
    // ---- Compute: Virtual Machines (Resize) ----
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/write",

    // ---- Compute: Virtual Machines (Stop / Start) ----
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/deallocate/action",

    // ---- Compute: Virtual Machine Scale Sets (Stop / Start) ----
    "Microsoft.Compute/virtualMachineScaleSets/start/action",
    "Microsoft.Compute/virtualMachineScaleSets/deallocate/action",

    // ---- Compute: Virtual Machine Scale Sets (Resize) ----
    "Microsoft.Compute/virtualMachineScaleSets/write",
    "Microsoft.Compute/virtualMachineScaleSets/scale/action",

    // ---- App Service Plan (Resize) ----
    "Microsoft.Web/serverfarms/write",

    // ---- Azure SQL (Resize)  ----
    "Microsoft.Sql/servers/databases/write",

    // ---- Azure SQL Elastic Pool (Resize)  ----
    "Microsoft.Sql/servers/elasticPools/write",

    // ---- Azure SQL Managed Instance (Resize)  ----
    "Microsoft.Sql/managedInstances/write",

    // ---- Data Factory (Stop / Start Triggers) ----
    "Microsoft.DataFactory/factories/triggers/start/action",
    "Microsoft.DataFactory/factories/triggers/stop/action",

    // ---- Logic Apps Consumption (Enable / Disable) ----
    "Microsoft.Logic/workflows/read",
    "Microsoft.Logic/workflows/enable/action",
    "Microsoft.Logic/workflows/disable/action",

    // ---- Azure Cosmos DB (RU changes) ----
    "Microsoft.DocumentDB/databaseAccounts/read",
    "Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/read",
    "Microsoft.DocumentDB/databaseAccounts/tables/throughputSettings/write",
    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/read",
    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/write",
    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/read",
    "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/write"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/<SUBSCRIPTION_ID>"
    // Optionally: "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>"
  ]
}

    Was this article helpful?
    What's Next