Assign an Azure Custom Role for Least Privilege Access to Resources

For least privilege access to Azure resources, you can create a custom Azure role and assign it to the Azure app registration that you use for Commvault.

Prerequisites

  • If you will use Azure CLI or Azure PowerShell for the steps on this page, use most recent version of the application.

  • Your Azure account must have the following built-in roles:

    • To create the custom role: Role User Access Administrator

    • To assign permissions to the custom role: Role Based Access Control Administrator

Download the JSON File and Update It With Your Azure Subscription ID

  1. Download the JSON file for the Azure workload that you want to protect and the Azure interface that you want to use:

    Workload

    Azure Portal JSON (or roles to include in a JSON)

    Azure CLI/Azure PowerShell JSON (or roles to include in a JSON)

    Azure databases:

    • Azure MariaDB

    • Azure MySQL

    • Azure PostgreSQL

    • Azure SQL

    • Azure SQL Managed Instance

    AzureDBBackupRole.json

    Not available yet

    Azure VMs, encrypted

    CVBackupRole-Encryption.json

    Not available yet

    Azure VMs, unencrypted

    CVBackupRole.json

    CVBackupRole_CLI.json

  2. Important: In the JSON file, after "assignableScopes", change the subscription ID placeholder value to your Azure subscription ID.

  3. Save the file.

Assign the Custom Role

Azure Portal

  1. From the All services menu, click the Subscriptions tab, and then select your subscription ID.

  2. On the Access Control (IAM) tab, click Add, and then select Add role assignment.

    The Add role assignment pane appears.

  3. From the Role list, select the custom role.

  4. From the Assign access to list, select User, group, or service principal.

  5. In the Select box, enter the application name, and then select the application for protecting your Azure workload.

  6. Click Save.

Azure CLI

  1. Create the custom role:

    az role definition create --role-definition .\my_custom_role.json

    Where my_custom_role is the name of the JSON file.

  2. Assign the custom role to your subscription:

    az role assignment create --assignee Azure_app --role my_custom_role --scope /subscriptions/Azure_subscription_ID

    Where:

    • Azure_app is the name of your Azure app.

    • my_custom_role is the name of the JSON file.

    • Azure_subscription_ID is the ID of your Azure subscription.

Azure PowerShell

  1. Ceate the custom role:

    New-AzRoleDefinition -InputFile "my_custom_role.json"

    Where my_custom_role is the name of the JSON file.

  2. Assign the custom role to your subscription:

    New-AzRoleAssignment -ObjectId Object_ID -RoleDefinitionName my_custom_role -Scope /subscriptions/Azure_subscription_ID

    Where:

    • Object_ID is the ID of the object.

    • my_custom_role is the name of the JSON file.

    • Azure_subscription_ID is the ID of your Azure subscription.

Loading...