Azure Repository Account Permissions

In this article

    To manage backup repositories residing in Azure blob containers, Azure repository accounts must have the following permissions:

    "permissions": [

     {

      "actions": [

        "Microsoft.Authorization/roleAssignments/read",

        "Microsoft.KeyVault/vaults/deploy/action",

        "Microsoft.KeyVault/vaults/keys/versions/read",

        "Microsoft.KeyVault/vaults/read",

        "Microsoft.Network/privateEndpoints/delete",

        "Microsoft.Network/privateEndpoints/read",

        "Microsoft.Network/privateEndpoints/write",

        "Microsoft.Network/privateLinkServices/privateEndpointConnections/read",

        "Microsoft.Network/privateLinkServices/privateEndpointConnections/write",

        "Microsoft.Network/privateLinkServices/privateEndpointConnections/delete",

        "Microsoft.Resources/subscriptions/resourceGroups/read",

        "Microsoft.Storage/storageAccounts/blobServices/read",

        "Microsoft.Storage/storageAccounts/listKeys/action",

        "Microsoft.Storage/storageAccounts/privateEndpointConnections/write",

        "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",

        "Microsoft.Storage/storageAccounts/read"

        ]

      }

    ]

    To encrypt data stored in a backup repository using the Azure Key Vault Service, a repository account used to create the backup repository must be assigned the following permissions:

      "dataActions": [

        "Microsoft.KeyVault/vaults/keys/encrypt/action",

        "Microsoft.KeyVault/vaults/keys/decrypt/action",

        "Microsoft.KeyVault/vaults/keys/read"

      ]