For most Azure resources, Commvault provides a custom role that includes the permissions that are required to protect the resources. In non-production environments, you can use Azure built-in roles instead. For VMs encrypted with Azure Key Vault, you can use a custom role or an access policy, but access policies are less secure and are considered by Microsoft to be a legacy authorization system.
If there is no custom role for an Azure resource that you want to protect, you can create your own custom role.
For instructions to assign roles, see Assign Azure roles using the Azure portal.
Custom Roles
Important
In the JSON file, change placeholder values such as {subscription-id}.
|
Azure resources |
Custom role for Azure Portal |
Custom role for Azure CLI |
|---|---|---|
|
||
|
Azure VM, encrypted and unencrypted |
||
|
Azure VM, unencrypted |
||
|
None |
|
|
Azure File Storage |
None |
Built-In Roles
| Azure resources | Roles to assign to the subscription | Roles to assign to the storage account |
|---|---|---|
|
|
None |
|
|
None |
| Azure VMs, encrypted | None | None |
| Azure VMs, unencrypted |
|
None |
|
|
None |
| Azure File Storage | Storage Account Contributor |
|
Permissions for Azure Key Vault Access Policies
For Azure VMs that are encrypted with Key Vault, instead of using a custom role that you assign to your Azure Key Vault application, you can assign an access policy to the Azure VM or the Azure Key Vault application that functions as your service principal.
For instructions to assign an access policy, see Assign a Key Vault access policy (legacy).
When you assign the access policy, for Key permissions and Secret permissions, select the following permissions:
-
Get
-
Recover
-
Backup
-
Restore
Note
The Commvault Cloud software does not support VMs that are encrypted with Azure Key Vault for managing certificates.