Skip to main content
Roles and permissions for Azure VMs
Updated over 4 months ago

Enterprise Workloads Editions: ✅ Business | ✅ Enterprise | ✅ Elite

​Azure role-based access control (Azure RBAC) is the primary method of managing access in Azure. Managing who can access your Azure resources and subscriptions is an important part of your Azure governance strategy.

Azure RBAC is an authorization system built on Azure Resource Manager that provides granular access management to Azure resources. Azure RBAC allows you to manage access to your resources in Azure. When planning your access control strategy, it’s best practice to grant users the least privilege required to get their work done.

To assign roles or grant access, ensure that you have the appropriate Microsoft.Authorization/role assignment of Global Administrator.


📝 Note
Before you onboard or register subscriptions, ensure that you have the Users can register applications permission enabled for your user account in the Azure environment.


Permissions

The following table provides detailed information on the permissions required to grant Druva access to your Azure environment.

Category

Permission Name

Permission ID

Why Druva needs the Permission

Onboarding Permissions

Azure Key Vault

user_impersonation

Grants temporary access as the installer to create the link to Druva

Onboarding Permissions

Azure Service Management

user_impersonation

Grants temporary access as the installer to create the link to Druva

Onboarding Permissions

Microsoft Graph

Application.Read.All
Application.ReadWrite.OwnedBy

Grants Druva access to verify whether the tenant was previously registered (first onboarding as against adding additional subscriptions)

Onboarding Permissions

Microsoft Graph

AppRoleAssignment.ReadWrite.All

Grants Druva access to specific Subscriptions

Backup and Restore Permissions

Azure Key Vault

vaults/read
vaults/secrets/read
vaults/secrets/write
vaults/write

Creating the secondary encryption key

Backup and Restore Permissions

Microsoft.Network

networkSecurityGroups/read
virtualNetworks/read
virtualNetworks/subnets/read

Discover values in order to provide inputs for restore

Backup and Restore Permissions

Microsoft Resources

ResourceGroups/read

Discover Azure resources for backup

Backup and Restore Permissions

Microsoft.Compute

virtualMachines/Read
virtualMachines/Write
virtualMachines/Deallocate
virtualMachines/Capture
virtualMachines/Read-InstanceView

Perform backup and restore operations

Backup and Restore Permissions

Microsoft.Compute

virtualMachineScaleSets/Read-InstanceView
virtualMachineScaleSets/Read-Skus
virtualMachineScaleSets/Read-NetworkInterfaces
virtualMachineScaleSets/Read-RunCommands

Perform backup and restore operations

Backup and Restore Permissions

Microsoft.Compute

images/read
images/write
locations/operations/read
locations/vmSizes/read

Create a native image for backup, see images that were created and their status, and provide data for the UI

Backup and Restore Permissions

Microsoft.Compute

snapshots/read

See snapshots that were created and their status

Backup and Restore Permissions

Microsoft.Compute

snapshots/beginGetAccess
snapshots/endGetAccess

Read the data to be backed up

Backup and Restore Permissions

Microsoft.Compute

disks/read
disks/write
disks/beginGetAccess
endGetAccess

View and manage restore, and in the case of restore failure grants clean-up permissions as required

Backup and Restore Permissions

Microsoft ManagedIdentity

userAssignedIdentities/read

Perform backup and restore operations

Related keywords: key vault, keyvault, azurevault, vault, azure vault, azure vault key, azurevaultkey

Did this answer your question?