Skip to main content

Prerequisites to protecting Azure resources

Updated today

To onboard new subscriptions, assign roles or grant access, ensure you have Microsoft.Authorization/role assignment of Global Administrator.

📝 Note

The Global Administrator role is required to register the application within Azure Entra ID, define and assign roles, and to provision the Resource Group and Azure Key Vault. Subscription onboarding is managed at the tenant level, and the access privileges required is that of a Global Admin or Owner. For more information on Azure RBAC, refer to the Microsoft Azure documentation.

Onboarding a new tenant

To onboard Azure subscriptions for the first time, ensure the following:

​Steps to assign Role

  1. Login to your Microsoft Azure portal.

  2. Navigate to Microsoft Entra ID > Manage > Users, and select the Admin Account you are using to onboard the subscription.

  3. Select Manage > Assigned Roles and verify if the account has a Global Administrator role.
    To assign the role, click Add assignments, locate and select the Global Administrator checkbox and then click Add.

​Steps to update access

To add a subscription to the Druva console, you must be an administrator or owner of the subscription in the Azure console.

  1. Login to your Microsoft Azure portal and locate the subscription you wish to onboard. Under Overview verify that My role is set to Owner.

  2. To update access role, navigate to Access control (IAM) and click Add.

  3. Select Add role assignment and search for Owner. Select the user account you wish to use for onboarding the subscription and then click Review+Assign.

​Steps to register Microsoft Key Vault

  • You must have the Azure Key Vault service registered for the subscription that you want to onboard.

    1. Login to your Microsoft Azure portal.

    2. Navigate to Subscriptions and select the subscription that you need to register on Druva.

    3. Scroll to the Resource providers in the Subscription Settings.

    4. Select the following from the list of resource providers and click Register.

      • Microsoft.KeyVault

      • Microsoft ManagedIdentity

​Steps to enable permissions

To onboard or register subscriptions, ensure that you have the Users can register applications permission enabled for your user account in the Azure environment.

  1. Login to your Microsoft Azure portal.

  2. Navigate to Microsoft Entra ID > Manage > User Settings

  3. Set the Users can register applications toggle to Yes. Click Save.

Steps to verify Policy Assignment

Ensure that the region where you want to create the resource group and key vault are allowed in Allowed locations under Policy assignments.


​Steps to verify if the region where you want to create the resource group and key vault are allowed in Allowed locations under Policy assignments.

  1. Login to your Microsoft Azure portal

  2. Navigate to Policy > Authoring > Assignments.

  3. In the search bar, type Allowed locations.

  4. In the Assignment name section, click Allowed locations.

  5. In the Parameter value column, click Edit Assignment add the region where you want to create the resource group and key vault.

  6. Review and click Save.

📝 Note: ​To register multiple subscriptions on Druva, repeat the steps above for each subscription individually.

Updating an existing tenant

If you have already onboarded Azure subscriptions with your existing tenant, update the permissions to onboard new subscriptions. For more information, see Update Azure Tenant Registration.

Related Articles
Quick reference guide to protect Azure VMs
Roles and permissions to protect Azure Resources
Protecting Azure SQL: Quick reference guide
Pre-requisites for protecting Azure SQL resources
Prerequisite for Onboarding Azure Subscriptions
Did this answer your question?