Assign Azure Built-In Roles for Access to Azure Blob Storage

To give Commvault Cloud access to your Azure Blob Storage account, you must assign certain Azure built-in roles to the Azure app registration that you use for Commvault Cloud.

Prerequisites

• If you will use Azure CLI or Azure PowerShell for the steps on this page, use most recent version of the application.

• To assign Azure roles, your Azure account must have the Role Based Access Control Administrator role.

Procedure

Azure Portal

1. In the Azure portal, on the Access Control (IAM) tab, click Add, and then select Add role assignment.

   The Add role assignment pane appears.

2. From the Role list, select the following roles:

   • Storage Account Contributor

   • Storage Blob Data Contributor

   • Storage Blob Owner: If you want to use immutable storage for Azure Blob Storage, this role is also required.

3. From the Assign access to list, select User, group, or service principal.

4. For Members, do the following:

   1. Click Select members.

      The Select members blade appears.

   2. In the Select box, start typing to select the application that you created in the preceding step.

5. Click Save.

6. To obtain the tenant ID (which is also the directory ID) from the public Azure cloud, go to Azure Active Directory > Properties > Directory.

Azure CLI

1. Assign the Storage Account Contributor role:

   az ad sp create-for-rbac -n Azure_app --scopes /subscriptions/${Azure_subscription_ID}  --role “Storage Account Contributor” --output json --only-show-errors

2. Assign the Storage Blob Data Contributor role:

   az ad sp create-for-rbac -n Azure_app --scopes /subscriptions/${Azure_subscription_ID}  --role “Storage Blob Data Contributor” --output json --only-show-errors

3. If you want to use immutable storage for Azure Blob Storage, assign the Storage Blob Owner role:

   az ad sp create-for-rbac -n Azure_app --scopes /subscriptions/${Azure_subscription_ID}  --role “Storage Blob Owner” --output json --only-show-errors

   Where:

   • Azure_app is the name of your Azure app.

   • Azure_subscription_ID is the ID of your Azure subscription.

Azure PowerShell

1. Assign the Storage Account Contributor role:

   New-AzRoleAssignment -ApplicationId $sp.Azure_app -RoleDefinitionName 'Storage Account Contributor'

2. Assign the Storage Blob Data Contributor role:

   New-AzRoleAssignment -ApplicationId $sp.Azure_app -RoleDefinitionName 'Storage Blob Data Contributor'

3. If you want to use immutable storage for Azure Blob Storage, assign the Storage Blob Owner role:

   New-AzRoleAssignment -ApplicationId $sp.Azure_app -RoleDefinitionName 'Storage Blob Owner'

   Where Azure_app is the name of your Azure app.

Related Topics

• For information about immutable storage for Azure Blob Storage, see Store business-critical blob data with immutable storage in the Microsoft documentation.

• To enable immutability for your Azure Blob Storage of Commvault Cloud backups, see WORM Storage and Retention for Cloud Storage.