Assign an Azure Custom Role for Least Privilege Access to Resources

For least privilege access to Azure resources, you can create a custom Azure role and assign it to the Azure app registration that you use for Commvault.

Prerequisites

If you will use Azure CLI or Azure PowerShell for the steps on this page, use most recent version of the application.
Your Azure account must have the following built-in roles:
- To create the custom role: Role User Access Administrator
- To assign permissions to the custom role: Role Based Access Control Administrator

Download the JSON File and Update It With Your Azure Subscription ID

Download the JSON file for the Azure workload that you want to protect and the Azure interface that you want to use:

Workload	Azure Portal JSON (or roles to include in a JSON)	Azure CLI/Azure PowerShell JSON (or roles to include in a JSON)
Azure databases: Azure MariaDB Azure MySQL Azure PostgreSQL Azure SQL Azure SQL Managed Instance	AzureDBBackupRole.json	Not available yet
Azure VMs, encrypted	CVBackupRole-Encryption.json	Not available yet
Azure VMs, unencrypted	CVBackupRole.json	CVBackupRole_CLI.json

Workload

Azure Portal JSON (or roles to include in a JSON)

Azure CLI/Azure PowerShell JSON (or roles to include in a JSON)

Azure databases:

Azure MariaDB
Azure MySQL
Azure PostgreSQL
Azure SQL
Azure SQL Managed Instance

AzureDBBackupRole.json

Not available yet

Azure VMs, encrypted

CVBackupRole-Encryption.json

Not available yet

Azure VMs, unencrypted

CVBackupRole.json

CVBackupRole_CLI.json

Important: In the JSON file, after "assignableScopes", change the subscription ID placeholder value to your Azure subscription ID.
Save the file.

Assign the Custom Role

Azure Portal

From the All services menu, click the Subscriptions tab, and then select your subscription ID.
On the Access Control (IAM) tab, click Add, and then select Add role assignment.

The Add role assignment pane appears.
From the Role list, select the custom role.
From the Assign access to list, select User, group, or service principal.
In the Select box, enter the application name, and then select the application for protecting your Azure workload.
Click Save.

Azure CLI

Create the custom role:
```
az role definition create --role-definition .\my_custom_role.json
```
Where my_custom_role is the name of the JSON file.
Assign the custom role to your subscription:
```
az role assignment create --assignee Azure_app --role my_custom_role --scope /subscriptions/Azure_subscription_ID
```
Where:
- Azure_app is the name of your Azure app.
- my_custom_role is the name of the JSON file.
- Azure_subscription_ID is the ID of your Azure subscription.

Azure PowerShell

Ceate the custom role:
```
New-AzRoleDefinition -InputFile "my_custom_role.json"
```
Where my_custom_role is the name of the JSON file.
Assign the custom role to your subscription:
```
New-AzRoleAssignment -ObjectId Object_ID -RoleDefinitionName my_custom_role -Scope /subscriptions/Azure_subscription_ID
```
Where:
- Object_ID is the ID of the object.
- my_custom_role is the name of the JSON file.
- Azure_subscription_ID is the ID of your Azure subscription.