Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager installation and configuration
  4. NetBackup Snapshot Manager cloud providers
  5. Microsoft Azure plug-in configuration notes
  6. Configuring permissions on Microsoft Azure
NetBackup™ Snapshot Manager Install and Upgrade Guide

Configuring permissions on Microsoft Azure

Before NetBackup Snapshot Manager can protect your Microsoft Azure assets, it must have access to them. You must associate a custom role that NetBackup Snapshot Manager users can use to work with Azure assets.

The following is a custom role definition (in JSON format) that gives NetBackup Snapshot Manager the ability to:

  • Configure the Azure plug-in and discover assets.

  • Create host and disk snapshots.

  • Restore snapshots to the original location or to a new location.

  • Delete snapshots.

{
  {
     "roleName": "CloudPoint-permissions",
     "description": "Necessary permissions for Azure plug-in operations 
      in CloudPoint",
     "assignableScopes": [
         "/subscriptions/<Subscriptions_ID>"
     ],
     "permissions": [
         {
             "actions": [
                 "Microsoft.Storage/*/read",
								         "Microsoft.Compute/*/read",
                 "Microsoft.Sql/*/read",
																	"Microsoft.Compute/disks/write",
                 "Microsoft.Compute/disks/delete",
                 "Microsoft.Compute/disks/beginGetAccess/action",
                 "Microsoft.Compute/disks/endGetAccess/action",
                 "Microsoft.Compute/snapshots/delete",
                 "Microsoft.Compute/snapshots/write",
                 "Microsoft.Compute/snapshots/beginGetAccess/action",
                 "Microsoft.Compute/snapshots/endGetAccess/action",
                 "Microsoft.Compute/virtualMachines/write",
                 "Microsoft.Compute/virtualMachines/delete",
                 "Microsoft.Compute/virtualMachines/start/action",
                 "Microsoft.Compute/virtualMachines/vmSizes/read",
                 "Microsoft.Compute/virtualMachines/powerOff/action",
                 "Microsoft.Network/*/read",
                 "Microsoft.Network/networkInterfaces/delete",
                 "Microsoft.Network/networkInterfaces/
                  effectiveNetworkSecurityGroups/action",
                 "Microsoft.Network/networkInterfaces/join/action",
                 "Microsoft.Network/networkInterfaces/write",
                 "Microsoft.Network/networkSecurityGroups/join/action",
                 "Microsoft.Network/networkSecurityGroups/write",
                 "Microsoft.Network/publicIPAddresses/delete",
                 "Microsoft.Network/publicIPAddresses/join/action",
                 "Microsoft.Network/publicIPAddresses/write",
                 "Microsoft.Network/virtualNetworks/subnets/join/action",
                 "Microsoft.Resources/*/read",
                 "Microsoft.Resources/subscriptions/tagNames/tagValues/
                  write",
                 "Microsoft.Resources/subscriptions/tagNames/write",
                 "Microsoft.Subscription/*/read",
                 "Microsoft.Authorization/locks/*",
                 "Microsoft.Authorization/*/read",
                 "Microsoft.ContainerService/managedClusters/agentPools/
                  read",
                 "Microsoft.ContainerService/managedClusters/read",
                 "Microsoft.Compute/virtualMachineScaleSets/write",
                 "Microsoft.Compute/virtualMachineScaleSets/delete/action"
             ],
             "notActions": [],
             "dataActions": [],
             "notDataActions": []
         }
     ]
  }
}

The following permissions are required to use managed identity for discovery, create, delete, and point in time restore of Azure SQL and Managed Instant databases:

actions": [
 "Microsoft.Authorization/*/read",
 "Microsoft.Sql/*/read",
 "Microsoft.Subscription/*/read",
 "Microsoft.Resources/*/read",
 "Microsoft.Sql/servers/databases/write",
 "Microsoft.Sql/servers/databases/delete",
 "Microsoft.Sql/managedInstances/databases/write",
 "Microsoft.Sql/managedInstances/databases/delete"
            ],

If NetBackup Snapshot Manager extension is installed on a managed Kubernetes cluster in Azure, then the following permissions can also be added before configuring the plugin:

"Microsoft.ContainerService/managedClusters/agentPools/read",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/delete/action"

Additional permissions required by PaaS workloads:

"Microsoft.DBforMySQL/servers/read",
"Microsoft.DBforMySQL/servers/databases/read",
"Microsoft.DBforMySQL/flexibleServers/read",
"Microsoft.DBforMySQL/flexibleServers/databases/read",
"Microsoft.DBforPostgreSQL/servers/read",
"Microsoft.DBforPostgreSQL/servers/databases/read",
"Microsoft.DBforPostgreSQL/flexibleServers/read",
"Microsoft.DBforPostgreSQL/flexibleServers/databases/read",
"Microsoft.Sql/*/write",
"Microsoft.Sql/*/delete"

If you use system managed identity for the PaaS Azure SQL and Managed Instance, apply the same set of permissions/rules to the media server(s) and snapshot manager. If you use user managed identity, attach the same user managed identity to the media server(s) and snapshot manager.

To create a custom role using powershell, follow the steps mentioned in the Azure documentation.

For example:

New-AzureRmRoleDefinition -InputFile "C:\CustomRoles\ReaderSupportRole.json"

To create a custom role using Azure CLI, follow the steps mentioned in the Azure documentation.

For example:

az role definition create --role-definition "~/CustomRoles/
ReaderSupportRole.json"

Note:

Before creating a role, you must copy the role definition given earlier (text in JSON format) in a .json file and then use that file as the input file. In the sample command displayed earlier, ReaderSupportRole.json is used as the input file that contains the role definition text.

To use this role, perform the following:

  • Assign the role to an application running in the Azure environment.

  • In NetBackup Snapshot Manager, configure the Azure off-host plug-in with the application's credentials.

More Information

Microsoft Azure plug-in configuration notes

Feedback

Was this page helpful?
Previous

Microsoft Azure plug-in configuration notes

Next

About Azure snapshots

Feedback

Was this page helpful?