Manage Agent Permissions and Resources
How to control which Azure resources your agent can access and what it can do with them — add resource groups, change permission levels, and grant subscription-wide access. Learn more → Permissions and roles.
Prerequisites
- An Azure SRE Agent in Running state
- Owner or User Access Administrator role on the resource groups you want to assign
- Access to the Azure portal for subscription-level changes
Step 1: Add managed resource groups
Managed resource groups determine which Azure resources your agent can see during investigations. The agent gets read access to resources in these groups — logs, metrics, and configurations.
- Go to Settings → Managed resources in the left sidebar.
- Click Add resource group.
- Use the search filter to find resource groups across your subscriptions.
- Select the groups you want the agent to access.
- Click Save.
To remove a resource group, select it in the list and click Remove.
Checkpoint: The resource groups you added appear in the Managed resources list.
Step 2: Set the permission level
Permission levels control what your agent can do with managed resources.
| Level | What the agent can do | When to use |
|---|---|---|
| Reader (default) | Read-only. Actions require your approval. | Start here — safest option |
| Privileged | Execute approved actions directly (restart containers, scale resources). | After you trust the agent's behavior |
To change the level:
- Go to Settings → Managed resources.
- Select the resource group.
- Change the permission level.
- Click Save.
The portal shows which Azure RBAC roles will be assigned — Log Analytics Reader, Monitoring Reader, AKS Cluster User, and others depending on the level.
Use run modes to control whether the agent executes actions automatically or waits for approval, independent of the permission level.
Checkpoint: The permission level updates and the portal displays the assigned RBAC roles.
Step 3 (optional): Grant subscription-level access
For broader access than individual resource groups, grant the agent Reader on your entire subscription:
- Go to Settings → Basics in your agent.
- Click the Managed identity link to open it in the Azure portal.
- Navigate to your subscription's Access control (IAM).
- Click Add role assignment.
- Select the Reader role.
- Assign it to the agent's managed identity.
This gives the agent visibility into all resources in the subscription without adding individual resource groups.
Checkpoint: The role assignment appears in your subscription's IAM page.
Step 4: Verify access
Confirm the agent can see the resources you assigned:
- Open a new chat thread.
- Ask: "What Azure resources can you see?"
- The agent responds with a summary of discovered resources, resource groups, and resource types.
Checkpoint: The agent lists the resource groups and resources you configured in the previous steps.
Next steps
- Permissions and roles — Understand the full permission model
- User roles — Configure who can access your agent
- Run modes — Control agent autonomy levels
- Azure observability — See what the agent can do with Azure access