> Essential > Cloud > Azure > Configuring Access to Azure Resources

Role Requirements for Protecting Azure Resources with Commvault

When possible, use the Commvault-provided custom roles, for least-privilege access. If there is no custom role for an Azure resource that you want to protect, you can create your own custom role or you can use Azure built-in roles.

For instructions to assign roles, see Assign Azure roles using the Azure portal.

Custom Roles

Important

In the JSON file, after "assignableScopes", change the subscription ID placeholder value to your Azure subscription ID.

Azure resources

Custom role JSONs

  • Azure MariaDB

  • Azure MySQL

  • Azure PostgreSQL

  • Azure SQL

  • Azure SQL Managed Instance

AzureDBBackupRole.json

Azure VMs, encrypted

CVBackupRole-Encryption.json

Azure VMs, unencrypted

CVBackupRole.json

  • Azure Blob Storage

  • Azure Data Lake Storage Gen2

AzureBlobADLSGen2BackupRole.json

Azure File Storage

AzureFileBackupRole.json

Built-In Roles

Azure resources Roles to assign to the subscription Roles to assign to the storage account
  • Azure CosmosDB

  • Azure MariaDB

  • Azure MySQL

  • Azure PostgreSQL
  • Contributor

  • Blob Storage Contributor

 None
  • Azure SQL

  • Azure SQL Managed Instance
  • SQL Server Contributor

  • SQL Managed Instance Contributor

  • Blob Storage Contributor

 None
Azure VMs, encrypted None None
Azure VMs, unencrypted
  • Contributor

  • Storage Blob Data Contributor

 None
  • Azure Blob Storage

  • Azure Data Lake Storage Gen2
  • Storage Blob Data Owner

  • Reader

 None
Azure File Storage Storage Account Contributor
  • Storage Blob Data Contributor

  • Storage File Data Privileged Contributor

Loading...