Azure role-based access control (Azure RBAC) is the primary method of managing access in Azure. Managing who can access your Azure resources and subscriptions is an important part of your Azure governance strategy.
Azure RBAC is an authorization system built on Azure Resource Manager that provides granular access management to Azure resources. Azure RBAC allows you to manage access to your resources in Azure. When planning your access control strategy, it’s best practice to grant users the least privilege required to get their work done.
To assign roles or grant access, ensure that you have the appropriate Microsoft.Authorization/role assignment of Global Administrator.
📝 Note
Before you onboard or register subscriptions, ensure that you have the Users can register applications permission enabled for your user account in the Azure environment.
Permissions
The permissions listed below are automatically granted to the Druva Backup Role within each protected subscription during the onboarding process. This list is provided for security review and reference only to ensure least privilege access is maintained.
Onboarding Permissions
Permission Name | Permission ID | Why Druva needs the Permission |
Azure Key Vault | user_impersonation | Grants temporary access as the installer to create the link to Druva |
Azure Service Management | user_impersonation | Grants temporary access as the installer to create the link to Druva |
Microsoft ManagedIdentity | userAssignedIdentities/read | Assign managed identity to the Druva's Quantum Bridge so that it can access the keyvault |
Microsoft Graph | Application.Read.All | Grants Druva access to verify whether the tenant was previously registered (first onboarding as against adding additional subscriptions) |
Microsoft Graph | AppRoleAssignment.ReadWrite.All | Grants Druva access to specific Subscriptions |
To view workload-specific permissions, expand the relevant sections below.
Backup and Restore Permissions for Azure VM
Backup and Restore Permissions for Azure VM
Permission Name | Permission ID | Why Druva needs the Permission |
Azure Key Vault | vaults/read | Creating the secondary encryption key |
Microsoft.Network | networkSecurityGroups/read | Discover values in order to provide inputs for restore |
Microsoft Resources | ResourceGroups/read | Discover Azure resources for backup |
Microsoft.Compute | virtualMachines/Read | Perform backup and restore operations |
Microsoft.Compute | virtualMachineScaleSets/Read-InstanceView | Perform backup and restore operations |
Microsoft.Compute | images/read | Create a native image for backup, see images that were created and their status, and provide data for the UI |
Microsoft.Compute | snapshots/read | See snapshots that were created and their status |
Microsoft.Compute | snapshots/beginGetAccess | Read the data to be backed up |
Microsoft.Compute | disks/read | View and manage restore, and in the case of restore failure grants clean-up permissions as required |
Discovery, Backup, and Restore permissions for Azure SQL Databases and Managed Instances
Discovery, Backup, and Restore permissions for Azure SQL Databases and Managed Instances
Permission Name | Permission ID | Why Druva needs the Permission |
Microsoft.ManagedIdentity | userAssignedIdentities/assign/action | Assign managed identity to the Druva's Quantum Bridge so that it can access the keyvault |
Microsoft.Sql | /servers/read /servers/elasticPools/read /servers/databases/read /servers/databases/write /servers/databases/delete | Discover, backup and, restore Azure SQL Databases |
Microsoft.Sql | /managedInstances/read /managedInstances/databases/read /managedInstances/databases/delete /managedInstances/databases/write | Discover, backup, and restore Azure SQL managed instances |
Microsoft.Compute | /virtualMachines/runCommand/actio | Execute the SQL commands on the Druva Quantum Bridge and also for discovery of SQL servers on Azure VM. |
Microsoft.Network | /privateEndpoints/read | Fetch properties for the specified Private Endpoint connection |
Microsoft.Sql | /servers/privateEndpointConnections/read /managedInstances/privateEndpointConnections/read | Fetch properties for the specified Private Endpoint connection |
Backup and Restore Azure Blob Storage
Backup and Restore Azure Blob Storage
Permission Name | Permission ID | Why Druva needs the Permission |
Microsoft.storage | Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/read | Permissions required to create and read/list storage account |
Microsoft.storage | Microsoft.Storage/storageAccounts/blobServices/containers/write Microsoft.Storage/storageAccounts/blobServices/containers/read | Permissions required to manage blob container |
Microsoft.storage | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Permissions required to backup and restore azure blobs. |
Microsoft.storage | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action | Permissions required to manage tag information required for efficiently listing blobs |
Microsoft.storage | Microsoft.Storage/storageAccounts/blobServices/containers/getAcl/action Microsoft.Storage/storageAccounts/blobServices/containers/setAcl/action | Permissions required to get and set additional container and blob properties |
Microsoft.storage | Microsoft.Storage/storageAccounts/blobServices/read Microsoft.Storage/storageAccounts/blobServices/write | Permissions required to read change feed data and access enable/disable change feed. |
Microsoft.insights | Microsoft.Insights/eventtypes/values/read | Permission required to read activity logs |
Backup and Restore Azure Files Cloud Native
Backup and Restore Azure Files Cloud Native
Resource Provider / Permission ID | Action | Purpose of Permission |
Storage Account Access | ||
Microsoft.Storage/storageAccounts/read | read | Allows reading high-level storage account properties and configurations. |
File Server Configuration | ||
Microsoft.Storage/storageAccounts/fileServices/read | read | An Azure RBAC permission that allows a principal (user, VM, managed identity, app) to read configuration and properties of the File Services inside an Azure Storage Account. |
Microsoft.Storage/storageAccounts/fileServices/write | write | An Azure RBAC permission that allows modifying (PUT/update) the File Services configuration of an Azure Storage Account. It is used to update SMB settings (NTFS ACLs) |
File Share Management | ||
Microsoft.Storage/storageAccounts/fileServices/shares/read | read | Allows listing and reading details of file shares (properties, quotas). |
Microsoft.Storage/storageAccounts/fileServices/shares/write | write | Allows creating or updating file shares (new shares, settings, quotas). |
File Data Operations | ||
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | read | Allows reading file properties and downloading files from a share. |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | write | Allows creating, modifying, or uploading files within a share. |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | modifypermissions | Allows modifying access control or permissions (ACLs) for files within a share.. |
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | readFileBackupSemantics | Allows reading file backup metadata (versions, timestamps) for backup operations. |
Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action | writeFileBackupSemantics | Allows writing file backup metadata required for restore operations. |
Related keywords: key vault, keyvault, azurevault, vault, azure vault, azure vault key, azurevaultkey, azure files cloud native roles and permissions, azure files permissions, azure files agentless roles and permissions