Role Requirements for Protecting Azure Resources with Commvault

When possible, use the Commvault-provided custom roles, for least-privilege access. If there is no custom role for an Azure resource that you want to protect, you can create your own custom role or you can use Azure built-in roles.

For instructions to assign roles, see Assign Azure roles using the Azure portal.

Custom Roles

Important

In the JSON file, after "assignableScopes", change the subscription ID placeholder value to your Azure subscription ID.

Azure resource	Azure Portal JSON	Azure CLI/Azure PowerShell JSON
Azure databases: Azure MariaDB Azure MySQL Azure PostgreSQL Azure SQL Azure SQL Managed Instance	AzureDBBackupRole.json	Not available yet
Azure VMs, encrypted	CVBackupRole-Encryption.json	Not available yet
Azure VMs, unencrypted	CVBackupRole.json	CVBackupRole_CLI.json
Azure object storage: Azure Blob Storage Azure Data Lake Storage Gen2	AzureBlobADLSGen2BackupRole.json	Not available yet
Azure File Storage	AzureFileBackupRole.json	Not available yet

Built-In Roles

Azure resource	Roles to assign in the Azure portal
The following databases: Azure CosmosDB Azure MariaDB Azure MySQL Azure PostgreSQL	Contributor Blob Storage Contributor
The following databases: Azure SQL Azure SQL Managed Instance	SQL Server Contributor SQL Managed Instance Contributor Blob Storage Contributor
Azure VMs, encrypted	Not available yet
Azure VMs, unencrypted	Contributor Storage Blob Data Contributor
Azure Blob Storage	Storage Blob Data Owner At the subscription level Reader
Azure Data Lake Storage Gen2	Storage Blob Data Owner At the subscription level Reader
Azure File Storage	At the storage account level Storage Blob Data Contributor Storage File Data Privileged Contributor At the subscription level Microsoft.Storage/storageAccounts/read Storage Account Contributor