Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup for Microsoft Azure Stack Administrator's Guide
  5. Configuring NetBackup and Microsoft Azure Stack
  7. Adding a Microsoft Azure Stack custom role to provide access permissions to NetBackup administrator
Veritas NetBackup for Microsoft Azure Stack Administrator's Guide

Adding a Microsoft Azure Stack custom role to provide access permissions to NetBackup administrator

NetBackup requires access to Azure Stack subscriptions to protect them. You must create a custom user in Active Directory for NetBackup and grant the user the role to access the subscriptions. You can either give a co-owner role to the user or you can create a custom role with permissions that are required for backup and recovery. An Azure Stack administrator as a subscription owner can create the custom role for a subscription.

The minimum permissions that NetBackup requires are as follows:

  • Microsoft.Compute/virtualMachines/*

  • Microsoft.Network/networkInterfaces/*

  • Microsoft.Network/networkSecurityGroups/join/action

  • Microsoft.Network/networkSecurityGroups/read

  • Microsoft.Network/publicIPAddresses/join/action

  • Microsoft.Network/publicIPAddresses/read

  • Microsoft.Network/publicIPAddresses/write

  • Microsoft.Network/virtualNetworks/read

  • Microsoft.Network/virtualNetworks/subnets/read

  • Microsoft.Network/virtualNetworks/subnets/join/action

  • Microsoft.Resources/subscriptions/resourceGroups/read

  • Microsoft.Storage/storageAccounts/read

  • Microsoft.Storage/storageAccounts/listKeys/action

To create a custom role, complete the following steps:

  1. For Active Directory Federation Services (ADFS)

    Create a user or service principal named nbu_azst in the Active Directory from the Active Directory Users and Computers dialog box from Microsoft Management Console.

    For Microsoft Azure Active Directory (Azure AD)

    Create the service principal from the Microsoft Azure Active Directory Users dialog box.

    Complete the following steps on a Windows computer that has PowerShell for Azure Stack.

    For more information, refer to https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-powershell-install.

  2. Create a new text file rbac_NBU_role.json and add the following script in the file:
    {
"Name": "NBU BnR Role",
"IsCustom": true,
"Description": "Let's you perform backup and recovery of VMs",
"Actions": [
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/{subscription_ID_1}"
"/subscriptions/{subscription_ID_2}"
.
.
]
}

    Note:

    Ensure that you add the required subscriptions under the AssignableScopes field so that the custom role is created with those subscriptions.

    For example, in the file snippet, replace subscription_ID_1 and subscription_ID_2 with actual subscription IDs that you have.

  3. Run the following commands:

    • Add-AzureRMEnvironment -Name AzureStackAdmin -ArmEndpoint "ArmEndpointValue"

      For example, Add-AzureRMEnvironment -Name AzureStackAdmin -ArmEndpoint "https://management.local.azurestack.external"

    • Add-AzureRmAccount -EnvironmentName "AzureStackAdmin"

    • New-AzureRmRoleDefinition -InputFile "<directory_path>\rbac_NBU_role.json"

    You can use the following ARM endpoints:

    • provider subscription

    • tenant subscription

  4. Open the Microsoft Azure Stack console and complete the following steps:

    1. Click Menu and open the subscriptions that you want to protect with NetBackup. Click Access Control (IAM) > Roles to view the newly created role.

    2. From Subscriptions > Access Control (IAM), click Add. In the Select Name field add nbu_azst user (ADFS) or the display name of the service principal (AAD), in the Type field select User, and in the Role field select the newly added role.

  5. Add the nbu_azst user or service principal to the tpconfig command to take backups.

More Information

Adding Microsoft Azure Stack credentials in NetBackup

Feedback

Was this page helpful?
Previous

Whitelisting a backup host on NetBackup master server

Next

Configuring the Microsoft Azure plug-in using the azurestack.conf configuration file

Feedback

Was this page helpful?