Enterprise Workloads Editions: ✅ Business | ✅ Enterprise | ✅ Elite
Azure role-based access control (Azure RBAC) is the primary method of managing access in Azure. Managing who can access your Azure resources and subscriptions is an important part of your Azure governance strategy.
Azure RBAC is an authorization system built on Azure Resource Manager that provides granular access management to Azure resources. Azure RBAC allows you to manage access to your resources in Azure. When planning your access control strategy, it’s best practice to grant users the least privilege required to get their work done.
To assign roles or grant access, ensure that you have the appropriate Microsoft.Authorization/role assignment of Global Administrator.
📝 Note
Before you onboard or register subscriptions, ensure that you have the Users can register applications permission enabled for your user account in the Azure environment.
Permissions
The following table provides detailed information on the permissions required to grant Druva access to your Azure environment.
Category | Permission Name | Permission ID | Why Druva needs the Permission |
Onboarding Permissions | Azure Key Vault | user_impersonation | Grants temporary access as the installer to create the link to Druva |
Onboarding Permissions | Azure Service Management | user_impersonation | Grants temporary access as the installer to create the link to Druva |
Onboarding Permissions | Microsoft Graph | Application.Read.All | Grants Druva access to verify whether the tenant was previously registered (first onboarding as against adding additional subscriptions) |
Onboarding Permissions | Microsoft Graph | AppRoleAssignment.ReadWrite.All | Grants Druva access to specific Subscriptions |
Backup and Restore Permissions | Azure Key Vault | vaults/read | Creating the secondary encryption key |
Backup and Restore Permissions | Microsoft.Network | networkSecurityGroups/read | Discover values in order to provide inputs for restore |
Backup and Restore Permissions | Microsoft Resources | ResourceGroups/read | Discover Azure resources for backup |
Backup and Restore Permissions | Microsoft.Compute | virtualMachines/Read | Perform backup and restore operations |
Backup and Restore Permissions | Microsoft.Compute | virtualMachineScaleSets/Read-InstanceView | Perform backup and restore operations |
Backup and Restore Permissions | Microsoft.Compute | images/read | Create a native image for backup, see images that were created and their status, and provide data for the UI |
Backup and Restore Permissions | Microsoft.Compute | snapshots/read | See snapshots that were created and their status |
Backup and Restore Permissions | Microsoft.Compute | snapshots/beginGetAccess | Read the data to be backed up |
Backup and Restore Permissions | Microsoft.Compute | disks/read | View and manage restore, and in the case of restore failure grants clean-up permissions as required |
Backup and Restore Permissions | Microsoft ManagedIdentity | userAssignedIdentities/read | Perform backup and restore operations |
Related keywords: key vault, keyvault, azurevault, vault, azure vault, azure vault key, azurevaultkey