Azure Repository Account Permissions

In this article

    To manage backup repositories residing in Azure blob containers, Azure repository accounts must have the following permissions:

    "permissions": [

      {

        "actions": [

            "Microsoft.Authorization/roleAssignments/read",

            "Microsoft.Resources/subscriptions/resourceGroups/read",

            "Microsoft.Storage/storageAccounts/read",

            "Microsoft.Storage/storageAccounts/listKeys/action",

            "Microsoft.Storage/storageAccounts/blobServices/read",

            "Microsoft.Authorization/roleDefinitions/write",

            "Microsoft.KeyVault/vaults/read",

            "Microsoft.KeyVault/vaults/keys/versions/read",

            "Microsoft.KeyVault/vaults/deploy/action"

                    ]

       }

                   ]

    To encrypt data stored in a backup repository using the Azure Key Vault Service, a repository account used to create the backup repository must be assigned the following permissions:

    "dataActions": [

         "Microsoft.KeyVault/vaults/keys/read",

         "Microsoft.KeyVault/vaults/keys/encrypt/action",

         "Microsoft.KeyVault/vaults/keys/decrypt/action"

                  ]