Azure
diff --git a/‎cmd/armCmd.go‎
Lines changed: 3 additions & 0 deletions b/‎cmd/armCmd.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cmd/bicepCmd.go‎
Lines changed: 3 additions & 0 deletions b/‎cmd/bicepCmd.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cmd/rootCmd.go‎
Lines changed: 78 additions & 9 deletions b/‎cmd/rootCmd.go‎
Lines changed: 78 additions & 9 deletions
diff --git a/‎cmd/rootCmd_test.go‎
Lines changed: 143 additions & 0 deletions b/‎cmd/rootCmd_test.go‎
Lines changed: 143 additions & 0 deletions
diff --git a/‎cmd/terraformCmd.go‎
Lines changed: 3 additions & 0 deletions b/‎cmd/terraformCmd.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/commandline-flags-and-env-variables.md‎
Lines changed: 86 additions & 11 deletions b/‎docs/commandline-flags-and-env-variables.md‎
Lines changed: 86 additions & 11 deletions
@@ -146,6 +146,9 @@ func getMPFARM(cmd *cobra.Command, args []string) {
 	initialPermissionsToAdd = []string{"Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/operationresults/read"}
 	permissionsToAddToResult = []string{"Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/write"}
 
+	// Add initial permissions from flag if provided (supports comma-separated string or @file.json)
+	initialPermissionsToAdd, permissionsToAddToResult = appendUserInitialPermissions(initialPermissionsToAdd, permissionsToAddToResult)
+
 	mpfService = usecase.NewMPFService(ctx, rgManager, spRoleAssignmentManager, deploymentAuthorizationCheckerCleaner, mpfConfig, initialPermissionsToAdd, permissionsToAddToResult, true, false, true)
 
 	log.Infof("Show Detailed Output: %t\n", flgShowDetailedOutput)
 
@@ -171,6 +171,9 @@ func getMPFBicep(cmd *cobra.Command, args []string) {
 	initialPermissionsToAdd = []string{"Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/operationresults/read"}
 	permissionsToAddToResult = []string{"Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/write"}
 
+	// Add initial permissions from flag if provided (supports comma-separated string or @file.json)
+	initialPermissionsToAdd, permissionsToAddToResult = appendUserInitialPermissions(initialPermissionsToAdd, permissionsToAddToResult)
+
 	// Always auto-create resource group since only resource group scoped deployments are supported
 	var autoCreateResourceGroup = true
 	mpfService = usecase.NewMPFService(ctx, rgManager, spRoleAssignmentManager, deploymentAuthorizationCheckerCleaner, mpfConfig, initialPermissionsToAdd, permissionsToAddToResult, true, false, autoCreateResourceGroup)
 
@@ -23,6 +23,7 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -43,15 +44,16 @@ var (
 	envPrefix                  = "MPF"
 	replaceHyphenWithCamelCase = false
 
-	flgSubscriptionID     string
-	flgTenantID           string
-	flgSPClientID         string
-	flgSPObjectID         string
-	flgSPClientSecret     string
-	flgShowDetailedOutput bool
-	flgJSONOutput         bool
-	flgVerbose            bool
-	flgDebug              bool
+	flgSubscriptionID      string
+	flgTenantID            string
+	flgSPClientID          string
+	flgSPObjectID          string
+	flgSPClientSecret      string
+	flgShowDetailedOutput  bool
+	flgJSONOutput          bool
+	flgVerbose             bool
+	flgDebug               bool
+	flgInitialPermissions  string
 	// RootCmd            *cobra.Command
 )
 
@@ -85,6 +87,7 @@ func NewRootCommand() *cobra.Command {
 	rootCmd.PersistentFlags().BoolVarP(&flgJSONOutput, "jsonOutput", "", false, "Output in JSON format")
 	rootCmd.PersistentFlags().BoolVarP(&flgVerbose, "verbose", "v", false, "verbose output")
 	rootCmd.PersistentFlags().BoolVarP(&flgDebug, "debug", "d", false, "debug output")
+	rootCmd.PersistentFlags().StringVarP(&flgInitialPermissions, "initialPermissions", "", "", "Initial permissions to add to the custom role before starting MPF analysis. Can be a comma-separated list (e.g., 'perm1,perm2') or @path/to/file.json to load from a JSON file with format: {\"RequiredPermissions\":{\"\":[\"perm1\",\"perm2\"]}}.")
 
 	err := rootCmd.MarkPersistentFlagRequired("subscriptionID")
 	if err != nil {
@@ -208,3 +211,69 @@ func getAbsolutePath(path string) (string, error) {
 	}
 	return absPath, nil
 }
+
+// parseInitialPermissions parses the initial permissions from either a comma-separated string
+// or from a JSON file (if the value starts with @).
+// The JSON file should have the same format as .permissionsFromFailedRun.json:
+// {"RequiredPermissions":{"":["perm1","perm2"]}}
+func parseInitialPermissions(value string) ([]string, error) {
+	if value == "" {
+		return nil, nil
+	}
+
+	// Check if it's a file reference (starts with @)
+	if strings.HasPrefix(value, "@") {
+		filePath := strings.TrimPrefix(value, "@")
+		absPath, err := getAbsolutePath(filePath)
+		if err != nil {
+			return nil, fmt.Errorf("error getting absolute path for permissions file: %w", err)
+		}
+
+		file, err := os.Open(absPath)
+		if err != nil {
+			return nil, fmt.Errorf("error opening permissions file %s: %w", absPath, err)
+		}
+		defer file.Close() //nolint:errcheck
+
+		var result domain.MPFResult
+		decoder := json.NewDecoder(file)
+		if err := decoder.Decode(&result); err != nil {
+			return nil, fmt.Errorf("error parsing permissions file %s: %w", absPath, err)
+		}
+
+		permissions := result.RequiredPermissions[""]
+		if len(permissions) == 0 {
+			log.Warnf("No permissions found in file %s under the empty string key", absPath)
+		}
+		return permissions, nil
+	}
+
+	// Parse as comma-separated string
+	permissions := strings.Split(value, ",")
+	for i := range permissions {
+		permissions[i] = strings.TrimSpace(permissions[i])
+	}
+	return permissions, nil
+}
+
+// appendUserInitialPermissions parses the --initialPermissions flag and appends
+// the permissions to both slices. This is a helper to reduce code duplication
+// across arm, bicep, and terraform commands.
+func appendUserInitialPermissions(initialPermissionsToAdd, permissionsToAddToResult []string) ([]string, []string) {
+	if flgInitialPermissions == "" {
+		return initialPermissionsToAdd, permissionsToAddToResult
+	}
+
+	userPermissions, err := parseInitialPermissions(flgInitialPermissions)
+	if err != nil {
+		log.Fatalf("Error parsing initial permissions: %v\n", err)
+	}
+
+	if len(userPermissions) > 0 {
+		log.Infof("Adding user-specified initial permissions: %v\n", userPermissions)
+		initialPermissionsToAdd = append(initialPermissionsToAdd, userPermissions...)
+		permissionsToAddToResult = append(permissionsToAddToResult, userPermissions...)
+	}
+
+	return initialPermissionsToAdd, permissionsToAddToResult
+}
@@ -0,0 +1,143 @@
+//     MIT License
+//
+//     Copyright (c) Microsoft Corporation.
+//
+//     Permission is hereby granted, free of charge, to any person obtaining a copy
+//     of this software and associated documentation files (the "Software"), to deal
+//     in the Software without restriction, including without limitation the rights
+//     to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+//     copies of the Software, and to permit persons to whom the Software is
+//     furnished to do so, subject to the following conditions:
+//
+//     The above copyright notice and this permission notice shall be included in all
+//     copies or substantial portions of the Software.
+//
+//     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//     IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//     AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//     LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//     OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+//     SOFTWARE
+
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"reflect"
+	"testing"
+)
+
+func TestParseInitialPermissions(t *testing.T) {
+	tests := []struct {
+		name        string
+		input       string
+		want        []string
+		wantErr     bool
+		setupFile   bool
+		fileContent string
+	}{
+		{
+			name:    "empty string returns nil",
+			input:   "",
+			want:    nil,
+			wantErr: false,
+		},
+		{
+			name:    "single permission",
+			input:   "Microsoft.Storage/storageAccounts/read",
+			want:    []string{"Microsoft.Storage/storageAccounts/read"},
+			wantErr: false,
+		},
+		{
+			name:  "comma-separated permissions",
+			input: "Microsoft.Storage/storageAccounts/read,Microsoft.Storage/storageAccounts/write",
+			want: []string{
+				"Microsoft.Storage/storageAccounts/read",
+				"Microsoft.Storage/storageAccounts/write",
+			},
+			wantErr: false,
+		},
+		{
+			name:  "comma-separated permissions with spaces",
+			input: "Microsoft.Storage/storageAccounts/read, Microsoft.Storage/storageAccounts/write , Microsoft.Storage/storageAccounts/listKeys/action",
+			want: []string{
+				"Microsoft.Storage/storageAccounts/read",
+				"Microsoft.Storage/storageAccounts/write",
+				"Microsoft.Storage/storageAccounts/listKeys/action",
+			},
+			wantErr: false,
+		},
+		{
+			name:      "file reference with valid JSON",
+			input:     "@testperms.json",
+			setupFile: true,
+			fileContent: `{
+				"RequiredPermissions": {
+					"": [
+						"Microsoft.Storage/storageAccounts/read",
+						"Microsoft.Storage/storageAccounts/write"
+					]
+				}
+			}`,
+			want: []string{
+				"Microsoft.Storage/storageAccounts/read",
+				"Microsoft.Storage/storageAccounts/write",
+			},
+			wantErr: false,
+		},
+		{
+			name:    "file reference to non-existent file",
+			input:   "@nonexistent.json",
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name:        "file reference with invalid JSON",
+			input:       "@invalid.json",
+			setupFile:   true,
+			fileContent: `not valid json`,
+			want:        nil,
+			wantErr:     true,
+		},
+		{
+			name:      "file reference with empty permissions array",
+			input:     "@empty.json",
+			setupFile: true,
+			fileContent: `{
+				"RequiredPermissions": {
+					"": []
+				}
+			}`,
+			want:    []string{},
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Setup file if needed
+			if tt.setupFile {
+				filename := tt.input[1:] // Remove @ prefix
+				tmpDir := t.TempDir()
+				filePath := filepath.Join(tmpDir, filename)
+				err := os.WriteFile(filePath, []byte(tt.fileContent), 0644)
+				if err != nil {
+					t.Fatalf("failed to create test file: %v", err)
+				}
+				// Update input to use absolute path
+				tt.input = "@" + filePath
+			}
+
+			got, err := parseInitialPermissions(tt.input)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("parseInitialPermissions() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("parseInitialPermissions() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
@@ -139,6 +139,9 @@ func getMPFTerraform(cmd *cobra.Command, args []string) {
 	initialPermissionsToAdd := []string{"Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/write"}
 	permissionsToAddToResult := []string{"Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/write"}
 
+	// Add initial permissions from flag if provided (supports comma-separated string or @file.json)
+	initialPermissionsToAdd, permissionsToAddToResult = appendUserInitialPermissions(initialPermissionsToAdd, permissionsToAddToResult)
+
 	// Check if permissions file from previous failed run exists
 	if terraform.DoesTFFileExist(flgWorkingDir, FoundPermissionsFromFailedRunFilename) {
 		prevResult, err := terraform.LoadMPFResultFromFile(flgWorkingDir, FoundPermissionsFromFailedRunFilename)
 
@@ -4,17 +4,18 @@
 
 ## Global Flags (Common to all providers)
 
-| Flag               | Environment Variable   | Required / Optional | Description                                                                                                                    |
-|--------------------|------------------------|---------------------|--------------------------------------------------------------------------------------------------------------------------------|
-| subscriptionID     | MPF_SUBSCRIPTIONID     | Required            |                                                                                                                                |
-| tenantID           | MPF_TENANTID           | Required            |                                                                                                                                |
-| spClientID         | MPF_SPCLIENTID         | Required            |                                                                                                                                |
-| spObjectID         | MPF_SPOBJECTID         | Required            | Note this is the SP Object id and is different from the Client ID                                                              |
-| spClientSecret     | MPF_SPCLIENTSECRET     | Required            |                                                                                                                                |
-| showDetailedOutput | MPF_SHOWDETAILEDOUTPUT | Optional            | If set to true, the output shows details of permissions resource wise as well. This is not needed if --jsonOutput is specified |
-| jsonOutput         | MPF_JSONOUTPUT         | Optional            | If set to true, the detailed output is printed in JSON format                                                                  |
-| verbose            | MPF_VERBOSE            | Optional            | If set to true, verbose output with informational messages is displayed                                                        |
-| debug              | MPF_DEBUG              | Optional            | If set to true, output with detailed debug messages is displayed. The debug messages may contain sensitive tokens              |
+| Flag               | Environment Variable   | Required / Optional | Description                                                                                                                       |
+|--------------------|------------------------|---------------------|-----------------------------------------------------------------------------------------------------------------------------------|
+| subscriptionID     | MPF_SUBSCRIPTIONID     | Required            |                                                                                                                                   |
+| tenantID           | MPF_TENANTID           | Required            |                                                                                                                                   |
+| spClientID         | MPF_SPCLIENTID         | Required            |                                                                                                                                   |
+| spObjectID         | MPF_SPOBJECTID         | Required            | Note this is the SP Object id and is different from the Client ID                                                                 |
+| spClientSecret     | MPF_SPCLIENTSECRET     | Required            |                                                                                                                                   |
+| showDetailedOutput | MPF_SHOWDETAILEDOUTPUT | Optional            | If set to true, the output shows details of permissions resource wise as well. This is not needed if --jsonOutput is specified    |
+| jsonOutput         | MPF_JSONOUTPUT         | Optional            | If set to true, the detailed output is printed in JSON format                                                                     |
+| verbose            | MPF_VERBOSE            | Optional            | If set to true, verbose output with informational messages is displayed                                                           |
+| debug              | MPF_DEBUG              | Optional            | If set to true, output with detailed debug messages is displayed. The debug messages may contain sensitive tokens                 |
+| initialPermissions | MPF_INITIALPERMISSIONS | Optional            | Initial permissions to seed the custom role with before MPF analysis. See [Initial Permissions](#initial-permissions) for details |
 
 When used for Terraform, the verbose and debug flags show detailed logs from Terraform.
 
@@ -48,3 +49,77 @@ When used for Terraform, the verbose and debug flags show detailed logs from Ter
 | varFilePath                    | MPF_VARFILEPATH                    | Optional            | Path to the Terraform variables file                                                                                                                                              |
 | importExistingResourcesToState | MPF_IMPORTEXISTINGRESOURCESTOSTATE | Optional            | Default Value is true. This is required for some scenarios as described in the [Known Issues - Import Errors](./known-issues-and-workarounds.MD#existing-resource--import-errors) |
 | targetModule                   | MPF_TARGETMODULE                   | Optional            | Target module to be used for the Terraform deployment                                                                                                                             |
+
+## Initial Permissions
+
+The `--initialPermissions` flag allows you to specify permissions that should be added to the custom role before MPF starts its analysis. This is particularly useful when:
+
+- Using **Terraform with a remote backend** (e.g., Azure Storage) that requires permissions to access the state store
+- You want to **reduce MPF execution time** by seeding known permissions upfront
+- Your deployment has **prerequisites** that need specific permissions before the main deployment can proceed
+
+### Usage
+
+The flag accepts two formats:
+
+#### 1. Comma-separated list
+
+```bash
+azmpf terraform \
+  --initialPermissions "Microsoft.Storage/storageAccounts/read,Microsoft.Storage/storageAccounts/listKeys/action" \
+  --workingDir ./my-terraform \
+  # ... other flags
+```
+
+#### 2. JSON file reference (prefix with @)
+
+```bash
+azmpf terraform \
+  --initialPermissions @backend-permissions.json \
+  --workingDir ./my-terraform \
+  # ... other flags
+```
+
+The JSON file must have the following format:
+
+```json
+{
+  "RequiredPermissions": {
+    "": [
+      "Microsoft.Storage/storageAccounts/read",
+      "Microsoft.Storage/storageAccounts/listKeys/action",
+      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
+    ]
+  }
+}
+```
+
+### Example: Terraform Remote Backend
+
+When using Azure Storage as a Terraform remote backend, the service principal needs permissions to access the storage account. Create a file called `backend-permissions.json`:
+
+```json
+{
+  "RequiredPermissions": {
+    "": [
+      "Microsoft.Storage/storageAccounts/read",
+      "Microsoft.Storage/storageAccounts/listKeys/action",
+      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
+    ]
+  }
+}
+```
+
+Then run MPF with:
+
+```bash
+azmpf terraform \
+  --initialPermissions @backend-permissions.json \
+  --tfPath $(which terraform) \
+  --workingDir ./my-terraform \
+  # ... other required flags
+```