Azure Repository Account Permissions
To manage backup repositories residing in Azure blob containers, Azure repository accounts must have the following permissions:
"permissions": [ { "actions": [ "Microsoft.Authorization/roleAssignments/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Authorization/roleDefinitions/write", "Microsoft.KeyVault/vaults/read", "Microsoft.KeyVault/vaults/keys/versions/read", "Microsoft.KeyVault/vaults/deploy/action" ] } ] |
To encrypt data stored in a backup repository using the Azure Key Vault Service, a repository account used to create the backup repository must be assigned the following permissions:
"dataActions": [ "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/encrypt/action", "Microsoft.KeyVault/vaults/keys/decrypt/action" ] |