Azure permission usage
The following table contains information about why Cloud Snapshot Manager requires Azure permissions to discover and protect resources in your cloud environment:
| Azure Permission | Cloud Snapshot Manager Usage |
|---|---|
| Microsoft.Authorization/*/read |
|
| Microsoft.Compute/availabilitySets/* | Enables VM restore. |
| Microsoft.Compute/disks/* |
|
| Microsoft.Compute/diskEncryptionSets/read | Enables encryption of VM while restoring. |
| Microsoft.Compute/proximityPlacementGroups/read | Enables assigning the Proximity Placement Group to the restored VM. |
| Microsoft.Compute/locations/* | Gets list of regions. |
| Microsoft.Compute/snapshots/* | Enables create, read, write, and delete operations on snapshots. |
| Microsoft.Compute/virtualMachines/* | Enables create, read, and write operations on VMs. |
| Microsoft.Network/locations/* | Gets network details and is used during list and restore operations. |
| Microsoft.Network/networkInterfaces/* | Required for restore operation. |
| Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group during restore. |
| Microsoft.Network/networkSecurityGroups/read | Gets a network security group definition during backup. |
| Microsoft.Network/publicIPAddresses/join/action | Joins a public IP address during restore. |
| Microsoft.Network/publicIPAddresses/read | Gets a public IP address definition during backup. |
| Microsoft.Network/publicIPAddresses/write | Creates a public IP address or updates an existing public IP address during restore. If it is not provided, the restore operation will still be successful but the public IP address will not be assigned. You must manually assign it. There will be a warning and the restore status will be 'Partially successful'. |
| Microsoft.Network/virtualNetworks/read | Gets the virtual network definition during restore. |
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network during restore. |
| Microsoft.Network/networkSecurityGroups/read | Gets the network security group during restore. |
| Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition during restore. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability status of all resources in the specified scope during resource listing. |
| Microsoft.Resources/deployments/* | Checks the status of deployment of resources during restore. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/subscriptions/resources/read | Gets resources of a subscription. |
| Microsoft.Storage/storageAccounts/blobServices/containers/delete | Deletes the page blob after the restore operation is completed. Required for cross-region and PowerProtect DD Virtual Edition(DDVE) features. |
| Microsoft.Storage/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. Required to restore native and DDVE snapshots. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. Required for blob container snapshots and for the restore operation. |
| Microsoft.KeyVault/vaults/deploy/action | Enables access to secrets in a key vault when deploying Azure resources. Required for create snapshot and restore operations for encrypted disks. |
| Microsoft.KeyVault/vaults/secrets/readMetadata/action | Lists or views the properties of a secret, but not its value. |
| Microsoft.KeyVault/vaults/keys/read | Lists keys in the specified vault, or reads properties and public material of a key. For asymmetric keys, this operation exposes the public key and includes the ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. |