Assign Azure Built-In Roles for Access to Resources

You can assign Azure built-in roles to the Azure app registration that you use for Commvault Cloud.

Prerequisites

  • If you will use Azure CLI or Azure PowerShell for the steps on this page, use most recent version of the application.

  • Your Azure account must have the Role Based Access Control Administrator role

Procedure

Azure Portal

  1. In the Azure portal, on the Access Control (IAM) tab, click Add, and then select Add role assignment.

    The Add role assignment pane appears.

  2. From the Role list, select the roles that are required for the workload:

    Workload

    Roles to assign in the Azure portal

    The following databases:

    • Azure CosmosDB

    • Azure MariaDB

    • Azure MySQL

    • Azure PostgreSQL

    • Contributor

    • Blob Storage Contributor

    The following databases:

    • Azure SQL

    • Azure SQL Managed Instance

    • SQL Server Contributor

    • SQL Managed Instance Contributor

    • Blob Storage Contributor

    Azure VMs, encrypted

    Not available yet

    Azure VMs, unencrypted

    • Contributor

    • Storage Blob Data Contributor

    Azure Blob Storage

    • Storage Blob Data Owner

    • Reader

    Azure Data Lake Storage Gen2

    • Storage Blob Data Owner

    • Reader

    Azure File Storage

  3. From the Assign access to list, select User, group, or service principal.

  4. For Members, do the following:

    1. Click Select members.

      The Select members blade appears.

    2. In the Select box, start typing to select the application that you created in the preceding step.

  5. Click Save.

  6. To obtain the tenant ID (which is also the directory ID) from the public Azure cloud, go to Azure Active Directory > Properties > Directory.

  7. To protect Azure resources with your own storage account, repeat the preceding steps to add the Storage Blob Data Contributor role.

Azure CLI

  • Use the following command to assign roles:

    az ad sp create-for-rbac -n Azure_app --scopes /subscriptions/${Azure_subscription_ID}  --role “role” --output json --only-show-errors
    Where:

    - Azure_app is the name of your Azure app.

    - Azure_subscription_ID is the ID of your Azure subscription.

    - role is the role to assign.

  • Required roles for Azure workloads are as follows:

    Workload

    Roles to assign in Azure CLI/Azure PowerShell

    The following databases:

    • Azure CosmosDB

    • Azure MariaDB

    • Azure MySQL

    • Azure PostgreSQL

    • Contributor

    • Blob Storage Contributor

    The following databases:

    • Azure SQL

    • Azure SQL Managed Instance

    • Blob Storage Contributor Role

    • SQL Managed Instance Contributor

    • SQL Server Contributor

    Azure VMs, encrypted

    Not available yet

    Azure VMs, encrypted

    Storage Blob Data Contributor

    Azure Blob Storage

    • Storage Blob Data Owner

    • At the subscription level

      • Reader

    Azure Data Lake Storage Gen2

    • Storage Blob Data Owner

    • At the subscription level

      • Reader

    Azure File Storage

    • At the storage account level

      • Storage Blob Data Contributor
      • Storage File Data Privileged Contributor
    • At the subscription level

      • Microsoft.Storage/storageAccounts/read
      • Storage Account Contributor

Azure PowerShell

  • Use the following command to assign roles:

    New-AzRoleAssignment -ApplicationId $sp.AppId -RoleDefinitionName 'role'

    Where role is the role to assign.

  • Required roles for Azure workloads are as follows:

    Workload

    Roles to assign in Azure CLI/Azure PowerShell

    The following databases:

    • Azure CosmosDB

    • Azure MariaDB

    • Azure MySQL

    • Azure PostgreSQL

    • Contributor

    • Blob Storage Contributor

    The following databases:

    • Azure SQL

    • Azure SQL Managed Instance

    • Blob Storage Contributor Role

    • SQL Managed Instance Contributor

    • SQL Server Contributor

    Azure VMs, encrypted

    Not available yet

    Azure VMs, encrypted

    Storage Blob Data Contributor

    Azure Blob Storage

    • Storage Blob Data Owner

    • At the subscription level

      • Reader

    Azure Data Lake Storage Gen2

    • Storage Blob Data Owner

    • At the subscription level

      • Reader

    Azure File Storage

    • At the storage account level

      • Storage Blob Data Contributor
      • Storage File Data Privileged Contributor
    • At the subscription level

      • Microsoft.Storage/storageAccounts/read
      • Storage Account Contributor

Loading...