Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. NetBackup Snapshot Manager for cloud providers
  5. Microsoft Azure plug-in configuration notes
  6. Configuring permissions on Microsoft Azure
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Configuring permissions on Microsoft Azure

Before NetBackup Snapshot Manager can protect your Microsoft Azure assets, it must have access to them. You must associate a custom role that NetBackup Snapshot Manager users can use to work with Azure assets.

The following is a custom role definition (in JSON format) that gives NetBackup Snapshot Manager the ability to:

  • Configure the Azure plug-in and discover assets.

  • Create host and disk snapshots.

  • Restore snapshots to the original location or to a new location.

  • Delete snapshots.

Table: NetBackup Snapshot Manager feature versus permissions for Microsoft Azure cloud provider

Feature

Task/Operation

Required permission

VM based

Backup from snapshot

To create shared access signature URI for backup from snapshot.

Microsoft.Storage/*/read

To generate shared access signature URI for backup from snapshot.

Microsoft.Compute/restorePointCollections/restorePoints/retrieveSasUris/action

To get access to read from disk restore point for creating backup copy in backup from snapshot.

Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/beginGetAccess/action

To obtain end access to restore points, after successful backup from snapshot.

Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/endGetAccess/action

Creating backup from snapshot

To get access to the snapshot data.

Microsoft.Compute/snapshots/beginGetAccess/action

For ending the URI after data from snapshot copied into the backup.

Microsoft.Compute/snapshots/endGetAccess/action

Restore from backup from snapshot

To create shared access signature URI for the managed disk.

Microsoft.Compute/disks/beginGetAccess/action

To delete shared access signature URI, after backup from snapshot.

Microsoft.Compute/disks/endGetAccess/action

Protection of Virtual Machines

To list VMs, VM scale set and attached disks.

Microsoft.Compute/*/read

Protection of SQL databases

To list Azure SQL databases to be protected.

Microsoft.Sql/*/read

Restore disks from snapshots/restore points

To create disk for restore.

Microsoft.Compute/disks/write

Rollback restore/ Cleanup in restore

To restore VM in rollback restore.

Or

To cleanup in case of failure in restore workflow.

Microsoft.Compute/virtualMachines/delete

Restore disk

To identify the available disk attachment points, for restoring disks/ files.

Microsoft.Compute/virtualMachines/vmSizes/read

Cleanup

To delete public IP, in case of cleanup in restore workflow failure. When the original VM has public IP and the alternate location restore fails.

Microsoft.Network/publicIPAddresses/delete

To delete RPC, if create snapshot workflow fails, and therefore rollback.

Microsoft.Compute/restorePointCollections/delete

List Resources (Discovery)

To get resource group and location information.

Microsoft.Resources/*/read

Discovery

To list subscriptions which can be used to list out the assets to be protected.

Microsoft.Subscription/*/read

Snapshots and Restores

To add tags to snapshots for indicating that the tags are created by Snapshot Manager

To add tags which are originally present in the VM to the restored VM.

Microsoft.Resources/subscriptions/tagNames/tagValues/write

Microsoft.Resources/subscriptions/tagNames/write

Snapshot

To protect disk snapshots from accidental deletion.

Microsoft.Authorization/locks/*

List restore points

To list snapshots (restore point), for restores.

Microsoft.Compute/restorePointCollections/read

List snapshots

To list and map restore point for the VMs.

Microsoft.Compute/restorePointCollections/restorePoints/read

List disk snapshots

To list disk restore points, for application consistency.

Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/read

Write snapshots

For incremental snapshots as restore points (Application consistent).

Microsoft.Compute/restorePointCollections/restorePoints/write

Snapshot cleanup

For cleanup in case of restore failures.

Microsoft.Compute/restorePointCollections/restorePoints/delete

Create restore point collections

To create RPC, 1 per VM in case a snapshot is triggered for the VM.

Microsoft.Compute/restorePointCollections/write

Restore VM

For creating VM in restore.

Microsoft.Compute/virtualMachines/write

For power on restored VM, as mentioned in protection plan.

Microsoft.Compute/virtualMachines/start/action

To obtain ADE extension details if installed.

Microsoft.Compute/virtualMachines/extensions/read

To install ADE extension at time of restore.

Microsoft.Compute/virtualMachines/extensions/write

To change the state of VM. Stopping the VM for rollback restore.

Microsoft.Compute/virtualMachines/powerOff/action

To list the networks for restores into the same network as original resource, or to a network selected by user.

Microsoft.Network/*/read

To list the Customer Managed Keys.

Microsoft.KeyVault/vaults/keys/read

To rollback restore, cleanup in case of failure in workflow.

Microsoft.Network/networkInterfaces/delete

To attach network interface card to restored VM.

Microsoft.Network/networkInterfaces/join/action

To create network interface card for VM restore.

Microsoft.Network/networkInterfaces/write

To attach network security group to VM during restore.

Microsoft.Network/networkSecurityGroups/join/action

To create network security group for VM restore, if original VM has one.

Microsoft.Network/networkSecurityGroups/write

To attach public IP, in restore when original VM has public IP.

Microsoft.Network/publicIPAddresses/join/action

To create public IP, in restore when original VM has public IP.

Microsoft.Network/publicIPAddresses/write

To create VM in a subnet, that is, join a subnet.

Microsoft.Network/virtualNetworks/subnets/join/action

Kubernetes cluster based

Get cluster information

To obtain the cluster information.

Microsoft.ContainerService/managedClusters/agentPools/read

Scale-in/Scale-out

To obtain the capability of the cluster.

Microsoft.ContainerService/managedClusters/read

Scale-in

To maintain the state of VM scale set.

Microsoft.Compute/virtualMachineScaleSets/delete/action

Scale-out

To maintain the state of VM scale set.

Microsoft.Compute/virtualMachineScaleSets/write

Marketplace deployment

High availability

To attach Snapshot Manager data disk to VM scale set instance.

Microsoft.Compute/virtualMachineScaleSets/write

(Scale-in) To maintain the state of the VM scale set.

Microsoft.Compute/virtualMachineScaleSets/delete/action

The following set of permissions are required to use managed identity for discovery, create, delete, database authentication and point in time restore (applicable only for Azure SQL and Managed Instance databases) for supported PaaS databases:

actions": [
	  "Microsoft.Authorization/*/read",
	  "Microsoft.Subscription/*/read",
	  "Microsoft.Resources/*/read",
	  "Microsoft.ManagedIdentity/*/read",
	  "Microsoft.Sql/*/read",
	  "Microsoft.Sql/servers/databases/write",
	  "Microsoft.Sql/servers/databases/delete",
	  "Microsoft.Sql/managedInstances/databases/write",
	  "Microsoft.Sql/managedInstances/databases/delete",
	  "Microsoft.DBforMySQL/servers/read",
	  "Microsoft.DBforMySQL/servers/databases/read",
	  "Microsoft.DBforMySQL/flexibleServers/read",
	  "Microsoft.DBforMySQL/flexibleServers/databases/read",
	  "Microsoft.DBforMySQL/servers/databases/write",
	  "Microsoft.DBforMySQL/flexibleServers/databases/write",
	  "Microsoft.DBforMySQL/servers/databases/delete",
	  "Microsoft.DBforMySQL/flexibleServers/databases/delete",
	  "Microsoft.DBforPostgreSQL/servers/databases/delete",
	  "Microsoft.DBforPostgreSQL/flexibleServers/databases/delete",
	  "Microsoft.DBforPostgreSQL/servers/databases/write",
	  "Microsoft.DBforPostgreSQL/flexibleServers/databases/write",
	  "Microsoft.DBforPostgreSQL/servers/read",
	  "Microsoft.DBforPostgreSQL/servers/databases/read",
	  "Microsoft.DBforPostgreSQL/flexibleServers/read",
   "Microsoft.Compute/virtualMachines/read",
	  "Microsoft.DBforPostgreSQL/flexibleServers/databases/read"
          ],

Additional permissions required by PaaS workloads

"Microsoft.DBforMySQL/servers/read",
"Microsoft.DBforMySQL/servers/databases/read",
"Microsoft.DBforMySQL/flexibleServers/read",
"Microsoft.DBforMySQL/flexibleServers/databases/read",
"Microsoft.DBforPostgreSQL/servers/read",
"Microsoft.DBforPostgreSQL/servers/databases/read",
"Microsoft.DBforPostgreSQL/flexibleServers/read",
"Microsoft.DBforMariaDB/servers/read",       
"Microsoft.DBforMariaDB/servers/databases/read",
"Microsoft.DBforPostgreSQL/flexibleServers/databases/read",
"Microsoft.Sql/*/write",
"Microsoft.Sql/*/delete"

If you use system managed identity for the PaaS Azure SQL and Managed Instance, apply the same set of permissions/rules to the media server(s) and Snapshot Manager. If you use user managed identity, attach the same user managed identity to the media server(s) and Snapshot Manager.

Permissions required by Azure Cosmos DB for NoSQL

"Microsoft.DocumentDB/databaseAccounts/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/read"
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/write"

Permissions required by Azure Cosmos DB for MongoDB

"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/read",
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/write",
"Microsoft.DocumentDB/databaseAccounts/listKeys/action"
Permissions required by Cloud object store

The following set of permissions are required for discovery, backup, restore, and authentication of Microsoft Azure Object Store

{
 "properties": {
     "roleName": "cosp_minimal",
     "description": "minimal permission required for cos protection.",
     "assignableScopes": [
         "/subscriptions/<Subsfription_ID>"
     ],
     "permissions": [
         {
           "actions": [
             "Microsoft.Storage/storageAccounts/blobServices/read",
             "Microsoft.Storage/storageAccounts/blobServices/containers/read",
             "Microsoft.Storage/storageAccounts/blobServices/containers/write",
             "Microsoft.ApiManagement/service/*",
             "Microsoft.Authorization/*/read",
             "Microsoft.Resources/subscriptions/resourceGroups/read",
             "Microsoft.Storage/storageAccounts/read"

           ],
           "notActions": [],
           "dataActions": [
             "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
             "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action",
             "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
             "Microsoft.Storage/storageAccounts/blobServices/containers/blob/read",
           ],
           "notDataActions": []
         }
     ]
   }
}

To create a custom role using powershell, follow the steps mentioned in the Azure documentation.

For example:

New-AzureRmRoleDefinition -InputFile "C:\CustomRoles\ReaderSupportRole.json"

To create a custom role using Azure CLI, follow the steps mentioned in the Azure documentation.

For example:

az role definition create --role-definition "~/CustomRoles/
ReaderSupportRole.json"

Note:

Before creating a role, you must copy the role definition given earlier (text in JSON format) in a .json file and then use that file as the input file. In the sample command displayed earlier, ReaderSupportRole.json is used as the input file that contains the role definition text.

To use this role, perform the following:

  • Assign the role to an application running in the Azure environment.

  • In NetBackup Snapshot Manager, configure the Azure off-host plug-in with the application's credentials.

More Information

Microsoft Azure plug-in configuration notes

Feedback

Was this page helpful?
Previous

Microsoft Azure plug-in configuration notes

Next

About Azure snapshots

Feedback

Was this page helpful?