Azure role-based access control (Azure RBAC) is the primary method of managing access in Azure. Managing who can access your Azure resources and subscriptions is an important part of your Azure governance strategy.
Azure RBAC is an authorization system built on Azure Resource Manager that provides granular access management to Azure resources. Azure RBAC allows you to manage access to your resources in Azure. When planning your access control strategy, it’s best practice to grant users the least privilege required to get their work done.
To assign roles or grant access, ensure that you have the appropriate Microsoft.Authorization/role assignment of Global Administrator.
📝 Note
Before you onboard or register subscriptions, ensure that you have the Users can register applications permission enabled for your user account in the Azure environment.
Permissions
The following table provides detailed information on the permissions required to grant Druva access to your Azure environment.
Onboarding Permissions
Permission Name | Permission ID | Why Druva needs the Permission |
Azure Key Vault | user_impersonation | Grants temporary access as the installer to create the link to Druva |
Azure Service Management | user_impersonation | Grants temporary access as the installer to create the link to Druva |
Microsoft ManagedIdentity | userAssignedIdentities/read | Assign managed identity to the Druva's Quantum Bridge so that it can access the keyvault |
Microsoft Graph | Application.Read.All | Grants Druva access to verify whether the tenant was previously registered (first onboarding as against adding additional subscriptions) |
Microsoft Graph | AppRoleAssignment.ReadWrite.All | Grants Druva access to specific Subscriptions |
Backup and Restore Permissions for Azure VM
Backup and Restore Permissions for Azure VM
Permission Name | Permission ID | Why Druva needs the Permission |
Azure Key Vault | vaults/read | Creating the secondary encryption key |
Microsoft.Network | networkSecurityGroups/read | Discover values in order to provide inputs for restore |
Microsoft Resources | ResourceGroups/read | Discover Azure resources for backup |
Microsoft.Compute | virtualMachines/Read | Perform backup and restore operations |
Microsoft.Compute | virtualMachineScaleSets/Read-InstanceView | Perform backup and restore operations |
Microsoft.Compute | images/read | Create a native image for backup, see images that were created and their status, and provide data for the UI |
Microsoft.Compute | snapshots/read | See snapshots that were created and their status |
Microsoft.Compute | snapshots/beginGetAccess | Read the data to be backed up |
Microsoft.Compute | disks/read | View and manage restore, and in the case of restore failure grants clean-up permissions as required |
Discovery, Backup, and Restore permissions for Azure SQL Databases and Managed Instances
Discovery, Backup, and Restore permissions for Azure SQL Databases and Managed Instances
Permission Name | Permission ID | Why Druva needs the Permission |
Microsoft.ManagedIdentity | userAssignedIdentities/assign/action | Assign managed identity to the Druva's Quantum Bridge so that it can access the keyvault |
Microsoft.Sql | /servers/read /servers/elasticPools/read /servers/databases/read /servers/databases/write /servers/databases/delete | Discover, backup and, restore Azure SQL Databases |
Microsoft.Sql | /managedInstances/read /managedInstances/databases/read /managedInstances/databases/delete /managedInstances/databases/write | Discover, backup, and restore Azure SQL managed instances |
Microsoft.Compute | /virtualMachines/runCommand/actio | Execute the SQL commands on the Druva Quantum Bridge and also for discovery of SQL servers on Azure VM. |
Microsoft.Network | /privateEndpoints/read | Fetch properties for the specified Private Endpoint connection |
Microsoft.Sql | /servers/privateEndpointConnections/read /managedInstances/privateEndpointConnections/read | Fetch properties for the specified Private Endpoint connection |
Backup and Restore Azure Blob Storage
Backup and Restore Azure Blob Storage
Permission Name | Permission ID | Why Druva needs the Permission |
Microsoft.storage | "Microsoft.Storage/storageAccounts/write", "Microsoft.Storage/storageAccounts/read", | Permissions required to create and read/list storage account |
Microsoft.storage | "Microsoft.Storage/storageAccounts/blobServices/containers/write" "Microsoft.Storage/storageAccounts/blobServices/containers/read" | Permissions required to manage blob container |
Microsoft.storage | "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read” "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" | Permissions required to backup and restore azure blobs. |
Microsoft.storage | "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read" "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write" "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action" | Permissions required to manage tag information required for efficiently listing blobs |
Microsoft.storage | "Microsoft.Storage/storageAccounts/blobServices/containers/getAcl/action" "Microsoft.Storage/storageAccounts/blobServices/containers/setAcl/action" | Permissions required to get and set additional container and blob properties |
Microsoft.storage | "Microsoft.Storage/storageAccounts/blobServices/read" "Microsoft.Storage/storageAccounts/blobServices/write" | Permissions required to read change feed data and access enable/disable change feed. |
Microsoft.insights | "Microsoft.Insights/eventtypes/values/read" | Permission required to read activity logs |
Related keywords: key vault, keyvault, azurevault, vault, azure vault, azure vault key, azurevaultkey