Use Azure role-based access control to manage Azure Backup recovery points
Azure role-based access control (Azure RBAC) enables fine-grained access management for Azure. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.
Important
Roles provided by Azure Backup are limited to actions that can be performed in Azure portal or via REST API or Recovery Services vault PowerShell or CLI cmdlets. Actions performed in the Azure Backup agent client UI or System center Data Protection Manager UI or Azure Backup Server UI are out of control of these roles.
Azure Backup provides three built-in roles to control backup management operations. Learn more on Azure built-in roles
- Backup Contributor - This role has all permissions to create and manage backup except deleting Recovery Services vault and giving access to others. Imagine this role as admin of backup management who can do every backup management operation.
- Backup Operator - This role has permissions to everything a contributor does except removing backup and managing backup policies. This role is equivalent to contributor except it can't perform destructive operations such as stop backup with delete data or remove registration of on-premises resources.
- Backup Reader - This role has permissions to view all backup management operations. Imagine this role to be a monitoring person.
If you're looking to define your own roles for even more control, see how to build Custom roles in Azure RBAC.
Mapping Backup built-in roles to backup management actions
Minimum role requirements for Azure VM backup
The following table captures the Backup management actions and corresponding minimum Azure role required to perform that operation.
Management Operation | Minimum Azure role required | Scope Required | Alternative |
---|---|---|---|
Create Recovery Services vault | Backup Contributor | Resource group containing the vault | |
Enable backup of Azure VMs | Backup Operator | Resource group containing the vault | |
Virtual Machine Contributor | VM resource | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read | |
Enable backup of Azure VMs (from VM blade) | Backup Operator | Resource group containing the vault | |
Backup Operator | Resource group containing the virtual machine | ||
Virtual Machine Contributor | VM resource | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/instanceView/read | |
On-demand backup of VM | Backup Operator | Recovery Services vault | |
Restore VM | Backup Operator | Recovery Services vault | |
Contributor | Resource group in which VM will be deployed | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Resources/subscriptions/resourceGroups/write Microsoft.DomainRegistration/domains/write (required only for classic VM restore and not required for managed VMs), Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action | |
Virtual Machine Contributor | Source VM that got backed up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read | |
Storage Account Contributor | Storage account resource where disks are going to be restored | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/listkeys/action | |
Restore unmanaged disks VM backup | Backup Operator | Recovery Services vault | |
Virtual Machine Contributor | Source VM that got backed up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read | |
Storage Account Contributor | Storage account resource where disks are going to be restored | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/listkeys/action | |
Restore managed disks from VM backup | Backup Operator | Recovery Services vault | |
Virtual Machine Contributor | Source VM that got backed up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read | |
Storage Account Contributor | Temporary Storage account selected as part of restore to hold data from vault before converting them to managed disks | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/listkeys/action | |
Contributor | Resource group to which managed disk(s) will be restored | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Resources/subscriptions/resourceGroups/write | |
Restore individual files from VM backup | Backup Operator | Recovery Services vault | |
Virtual Machine Contributor | Source VM that got backed up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read | |
Cross region restore | Backup Operator | Subscription of the recovery Services vault | This is in addition of the restore permissions mentioned above. Specifically for CRR, instead of a built-in-role, you can consider a custom role which has the following permissions: "Microsoft.RecoveryServices/locations/backupAadProperties/read" "Microsoft.RecoveryServices/locations/backupCrrJobs/action" "Microsoft.RecoveryServices/locations/backupCrrJob/action" "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action" "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read" "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read" |
Create backup policy for Azure VM backup | Backup Contributor | Recovery Services vault | |
Modify backup policy of Azure VM backup | Backup Contributor | Recovery Services vault | |
Delete backup policy of Azure VM backup | Backup Contributor | Recovery Services vault | |
Stop backup (with retain data or delete data) on VM backup | Backup Contributor | Recovery Services vault | |
Register on-premises Windows Server/client/SCDPM or Azure Backup Server | Backup Operator | Recovery Services vault | |
Delete registered on-premises Windows Server/client/SCDPM or Azure Backup Server | Backup Contributor | Recovery Services vault |
Important
If you specify VM Contributor at a VM resource scope and select Backup as part of VM settings, it will open the Enable Backup screen, even though the VM is already backed up. This is because the call to verify backup status works only at the subscription level. To avoid this, either go to the vault and open the backup item view of the VM or specify the VM Contributor role at a subscription level.
Minimum role requirements for Azure workload backups (SQL and HANA DB backups)
The following table captures the Backup management actions and corresponding minimum Azure role required to perform that operation.
Management Operation | Minimum Azure role required | Scope Required | Alternative |
---|---|---|---|
Create Recovery Services vault | Backup Contributor | Resource group containing the vault | |
Enable backup of SQL and/or HANA databases | Backup Operator | Resource group containing the vault | |
Virtual Machine Contributor | VM resource where DB is installed | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read | |
On-demand backup of DB | Backup Operator | Recovery Services vault | |
Restore database or Restore as files | Backup Operator | Recovery Services vault | |
Virtual Machine Contributor | Source VM that got backed up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read | |
Virtual Machine Contributor | Target VM in which DB will be restored or files are created | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read | |
Create backup policy for Azure VM backup | Backup Contributor | Recovery Services vault | |
Modify backup policy of Azure VM backup | Backup Contributor | Recovery Services vault | |
Delete backup policy of Azure VM backup | Backup Contributor | Recovery Services vault | |
Stop backup (with retain data or delete data) on VM backup | Backup Contributor | Recovery Services vault | |
Virtual Machine Contributor | Source VM that got backed-up | Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write | |
Cross region restore | Backup Operator | Subscription of the Recovery Services vault | This is in addition to the restore permissions mentioned above. In case of cross region restore, instead of a built-in role, you can use a custom role that has the following permissions: - Microsoft.RecoveryServices/locations/backupAadProperties/read - Microsoft.RecoveryServices/locations/backupCrrJobs/action - Microsoft.RecoveryServices/locations/backupCrrJob/action - Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action - Microsoft.RecoveryServices/locations/backupCrrOperationResults/read - Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read |
Minimum role requirements for the Azure File share backup
The following table captures the Backup management actions and corresponding Azure role required to perform that operation.
Management Operation | Role Required | Resources |
---|---|---|
Enable backup from Recovery Services vault | Backup Contributor | Recovery Services vault |
Storage account Contributor | Storage account resource | |
Enable backup from file share blade | Backup Contributor | Recovery Services vault |
Storage account Contributor | Storage account Resource | |
Contributor | Subscription | |
On-demand backup of file share | Backup Operator | Recovery Services vault |
Restore File share | Backup Operator | Recovery Services vault |
Storage Account Backup Contributor | Storage account resources where restore source and Target file shares are present | |
Restore Individual Files | Backup Operator | Recovery Services vault |
Storage Account Contributor | Storage account resources where restore source and Target file shares are present | |
Stop protection | Backup Contributor | Recovery Services vault |
Unregister storage account from vault | Backup Contributor | Recovery Services vault |
Storage Account Contributor | Storage account resource |
Note
If you've contributor access at the resource group level and want to configure backup from file share blade, ensure to get microsoft.recoveryservices/Locations/backupStatus/action permission at the subscription level. To do so, create a custom role and assign this permission.
Minimum role requirements for Azure disk backup
Management Operation | Minimum Azure role required | Scope Required | Alternative |
---|---|---|---|
Validate before configuring backup | Backup Operator | Backup vault | |
Disk Backup Reader | Disk to be backed up | ||
Enable backup from backup vault | Backup Operator | Backup vault | |
Disk Backup Reader | Disk to be backed up | In addition, the backup vault MSI should be given these permissions | |
On demand backup of disk | Backup Operator | Backup vault | |
Validate before restoring a disk | Backup Operator | Backup vault | |
Disk Restore Operator | Resource group where disks will be restored to | ||
Restoring a disk | Backup Operator | Backup vault | |
Disk Restore Operator | Resource group where disks will be restored to | In addition, the backup vault MSI should be given these permissions |
Minimum role requirements for Azure blob backup
Management Operation | Minimum Azure role required | Scope Required | Alternative |
---|---|---|---|
Validate before configuring backup | Backup Operator | Backup vault | |
Storage account backup contributor | Storage account containing the blob | ||
Enable backup from backup vault | Backup Operator | Backup vault | |
Storage account backup contributor | Storage account containing the blob | In addition, the backup vault MSI should be given these permissions | |
On demand backup of blob | Backup Operator | Backup vault | |
Validate before restoring a blob | Backup Operator | Backup vault | |
Storage account backup contributor | Storage account containing the blob | ||
Restoring a blob | Backup Operator | Backup vault | |
Storage account backup contributor | Storage account containing the blob | In addition, the backup vault MSI should be given these permissions |
Next steps
- Azure role-based access control (Azure RBAC): Get started with Azure RBAC in the Azure portal.
- Learn how to manage access with:
- Azure role-based access control troubleshooting: Get suggestions for fixing common issues.