Skip to main content

Roles and Permissions for Azure Files

Updated today

❗ Important

This feature has limited availability. To know more about limited availability and sign up for this feature, contact your Account Manager.


You need to attach roles to the NAS proxy (Azure virtual machine) that runs the NAS agent. These roles are essential for executing the Azure APIs required for operations such as listing, reading, and writing to Azure Files.

Once the custom role is attached to the virtual machine, the necessary permissions for the Azure SDK are fetched from the Azure virtual machine instance's metadata service, allowing the NAS agent to start backup and restore operations using the Azure APIs.

Roles and Permissions

The following table provides detailed information about the permissions allowed for roles:

Permission Name

Description

Microsoft.Storage/storageAccounts/write
Microsoft.Storage/storageAccounts/read

Permission to create and read/list storage accounts.

Microsoft.Storage/storageAccounts/fileServices/shares/read
Microsoft.Storage/storageAccounts/fileServices/shares/write

Permission to manage Azure Files.

Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action

Permission to backup and restore Azure Files.

You must attach the custom role to the virtual machine with the above Azure permissions. For more information, see the prerequisites section.

Did this answer your question?