To back up an Azure Blob Storage repository with IAM (Identity and Access Management) virtual machine (VM) role assignment, you must first assign the storage blob data owner role to the Azure VM that you will use as an access node to back up the storage account, then, using the IAM VM role assignment type of authentication, add an object storage repository using that VM as the access node.
Assign the Storage Blob Data Owner Role to the VM
In the Azure portal, using the Azure subscription, create or select a Windows or UNIX VM, if already created.
Turn on the system assigned identity option on the Azure VM which will be used as an access node.
In the Azure Blob Storage account, add the storage blob data owner role to the Azure VM that you will use as the access node.
Add the Object Storage Repository with IAM VM Role Assignment
From the navigation pane, go to Protect > Object storage.
The Object storage page appears.
In the upper-right area of the page, click Add object storage.
The Add object storage dialog box appears.
Click Azure Blob Storage.
The Configure Azure Blob Storage wizard appears.
On the Plan tab of the wizard, select the backup plan that you want to use for the object storage repository, and then click Next.
On the Access Node tab of the wizard, select one or more Azure VMs or the server group of Azure VMs where the Cloud Apps package is installed, and then click Next.
The access nodes must be of similar operating system type.
All servers in the server group must be reachable through network routes.
On the Add object storage tab of the wizard, complete the following steps:
In the Object storage name box, enter a name for the repository.
In the Host URL box, enter the Azure Blob Storage service account URL.
For example, you can enter blob.core.windows.net.
From the Authentication list, select IAM VM role.
In the Account name box, enter the name of the Azure Blob Storage account, and then click Next.
On the Backup Content tab of the wizard, complete the following steps:
Click Add, and do one of the following:
To enter a custom path, click Custom path, and then enter the path for the content.
To browse for content, click Browse, and then select the content.
To exclude some of the content you selected, move the Specify exclusion toggle key to the right, and then add the exclusion.
On the Summary tab of the wizard, review the options, and then click Finish.
For information about how to assign roles to VMs, search for "Configure managed identities for Azure resources on a VM using the Azure portal" in the Microsoft documentation.