Azure permissions for the Console agent

11/12/2025 Contributors

When the NetApp Console launches a Console agent in Azure, it attaches a custom role to the VM that provides the agent with permissions to manage resources and processes within that Azure subscription. The agent uses the permissions to make API calls to several Azure services.

Whether or not you need to create this custom role for the agent depends on how you deployed it.

Deploying from NetApp Console

When you use the Console to deploy the agent virtual machine in Azure, it enables a system-assigned managed identity on the virtual machine, creates a custom role, and assigns it to the virtual machine. The role provides the Console with the permissions required to manage resources and processes within that Azure subscription. The role's permissions are kept up-to-date when the agent is upgraded. You don't need to create this role for the agent or manage updates.

Deploying manually or from Azure marketplace

When you deploy the agent from the Azure Marketplace or if you manually install the agent on a Linux host, then you need to set up the custom role yourself and maintain its permissions with any changes.

You'll need to ensure that the role is up to date as new permissions are added in subsequent releases. If new permissions are required, they will be listed in the release notes.

To view step-by-step instructions for using these policies, refer to the following pages:

The following is a custom policy for Backup and Recovery that uses the fewest possible permissions and the narrowest possible scope:

{
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionGuid}",
  "properties": {
    "roleName": "Custom Role",
    "description": "Minimal permissions required for Backup and Recovery.",
    "assignableScopes": [
      "/subscriptions/{subscriptionId}",
      "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupNameContainingConnectorAndStorageAccount}",
      "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupNameContainingConnectorAndStorageAccount}/providers/Microsoft.Storage/storageAccounts/{storageAccountNameWithObjectLockPreprovisioned}"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Storage/storageAccounts/listkeys/action",
          "Microsoft.Storage/storageAccounts/read",
          "Microsoft.Storage/storageAccounts/write",
          "Microsoft.Storage/storageAccounts/blobServices/containers/read",
          "Microsoft.Storage/storageAccounts/listAccountSas/action",
          "Microsoft.Resources/subscriptions/locations/read",
          "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
          "Microsoft.Resources/subscriptions/resourceGroups/write",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Storage/storageAccounts/managementPolicies/read",
          "Microsoft.Storage/storageAccounts/managementPolicies/write",
          "Microsoft.Authorization/locks/write",
          "Microsoft.Authorization/locks/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

How Azure permissions are used

The following sections describe how the permissions are used for each NetApp storage system and data service. This information can be helpful if your corporate policies dictate that permissions are only provided as needed.

Azure NetApp Files

The agent makes the following API requests when you use NetApp Data Classification to scan Azure NetApp Files data:

Microsoft.NetApp/netAppAccounts/read
Microsoft.NetApp/netAppAccounts/capacityPools/read
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/write
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/delete

Minimal NetApp Backup and Recovery permissions

The Console agent makes the following API requests for basic NetApp Backup and Recovery functionality:

Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/listAccountSas/action
Microsoft.Resources/subscriptions/locations/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourcegroups/resources/read
Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Storage/storageAccounts/managementPolicies/read
Microsoft.Storage/storageAccounts/managementPolicies/write
Microsoft.Authorization/locks/write
Microsoft.Authorization/locks/read

Additional Backup and Recovery permissions

The console agent makes the following API requests for advanced Backup and Recovery operations and Search & Restore features. These permissions enable management of networking, key vaults, and managed identities:

Microsoft.KeyVault/vaults/accessPolicies/write
Microsoft.KeyVault/vaults/read
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkSecurityGroups/delete
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/write
Microsoft.Network/privateEndpoints/read
Microsoft.Network/privateEndpoints/write
Microsoft.Network/virtualNetworks/join/action
Microsoft.Resources/deployments/delete

Legacy permissions for Backup and Recovery

The agent makes the following API requests when you use the Search & Restore functionality. You only need these permissions if you enabled legacy indexing features before the release of indexing v2:

Microsoft.Synapse/workspaces/write
Microsoft.Synapse/workspaces/read
Microsoft.Synapse/workspaces/delete
Microsoft.Synapse/register/action
Microsoft.Synapse/checkNameAvailability/action
Microsoft.Synapse/workspaces/operationStatuses/read
Microsoft.Synapse/workspaces/firewallRules/read
Microsoft.Synapse/workspaces/replaceAllIpFirewallRules/action
Microsoft.Synapse/workspaces/operationResults/read
Microsoft.Synapse/workspaces/privateEndpointConnectionsApproval/action

NetApp Data Classification

The agent makes the following API requests when you use Data Classification.

Action	Used for set up?	Used for daily operations?
Microsoft.Compute/locations/operations/read	Yes	Yes
Microsoft.Compute/locations/vmSizes/read	Yes	Yes
Microsoft.Compute/operations/read	Yes	Yes
Microsoft.Compute/virtualMachines/instanceView/read	Yes	Yes
Microsoft.Compute/virtualMachines/powerOff/action	Yes	No
Microsoft.Compute/virtualMachines/read	Yes	Yes
Microsoft.Compute/virtualMachines/restart/action	Yes	No
Microsoft.Compute/virtualMachines/start/action	Yes	No
Microsoft.Compute/virtualMachines/vmSizes/read	No	Yes
Microsoft.Compute/virtualMachines/write	Yes	No
Microsoft.Compute/images/read	Yes	Yes
Microsoft.Compute/disks/delete	Yes	No
Microsoft.Compute/disks/read	Yes	Yes
Microsoft.Compute/disks/write	Yes	No
Microsoft.Storage/checknameavailability/read	Yes	Yes
Microsoft.Storage/operations/read	Yes	Yes
Microsoft.Storage/storageAccounts/listkeys/action	Yes	No
Microsoft.Storage/storageAccounts/read	Yes	Yes
Microsoft.Storage/storageAccounts/write	Yes	No
Microsoft.Storage/storageAccounts/blobServices/containers/read	Yes	Yes
Microsoft.Network/networkInterfaces/read	Yes	Yes
Microsoft.Network/networkInterfaces/write	Yes	No
Microsoft.Network/networkInterfaces/join/action	Yes	No
Microsoft.Network/networkSecurityGroups/read	Yes	Yes
Microsoft.Network/networkSecurityGroups/write	Yes	No
Microsoft.Resources/subscriptions/locations/read	Yes	Yes
Microsoft.Network/locations/operationResults/read	Yes	Yes
Microsoft.Network/locations/operations/read	Yes	Yes
Microsoft.Network/virtualNetworks/read	Yes	Yes
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read	Yes	Yes
Microsoft.Network/virtualNetworks/subnets/read	Yes	Yes
Microsoft.Network/virtualNetworks/subnets/virtualMachines/read	Yes	Yes
Microsoft.Network/virtualNetworks/virtualMachines/read	Yes	Yes
Microsoft.Network/virtualNetworks/subnets/join/action	Yes	No
Microsoft.Network/virtualNetworks/subnets/write	Yes	No
Microsoft.Network/routeTables/join/action	Yes	No
Microsoft.Resources/deployments/operations/read	Yes	Yes
Microsoft.Resources/deployments/read	Yes	Yes
Microsoft.Resources/deployments/write	Yes	No
Microsoft.Resources/resources/read	Yes	Yes
Microsoft.Resources/subscriptions/operationresults/read	Yes	Yes
Microsoft.Resources/subscriptions/resourceGroups/delete	Yes	No
Microsoft.Resources/subscriptions/resourceGroups/read	Yes	Yes
Microsoft.Resources/subscriptions/resourcegroups/resources/read	Yes	Yes
Microsoft.Resources/subscriptions/resourceGroups/write	Yes	No

Action

Used for set up?

Used for daily operations?

Microsoft.Compute/locations/operations/read

Yes

Microsoft.Compute/locations/vmSizes/read

Yes

Microsoft.Compute/operations/read

Yes

Microsoft.Compute/virtualMachines/instanceView/read

Yes

Microsoft.Compute/virtualMachines/powerOff/action

Yes

Microsoft.Compute/virtualMachines/read

Yes

Microsoft.Compute/virtualMachines/restart/action

Yes

Microsoft.Compute/virtualMachines/start/action

Yes

Microsoft.Compute/virtualMachines/vmSizes/read

Yes

Microsoft.Compute/virtualMachines/write

Yes

Microsoft.Compute/images/read

Yes

Microsoft.Compute/disks/delete

Yes

Microsoft.Compute/disks/read

Yes

Microsoft.Compute/disks/write

Yes

Microsoft.Storage/checknameavailability/read

Yes

Microsoft.Storage/operations/read

Yes

Microsoft.Storage/storageAccounts/listkeys/action

Yes

Microsoft.Storage/storageAccounts/read

Yes

Microsoft.Storage/storageAccounts/write

Yes

Microsoft.Storage/storageAccounts/blobServices/containers/read

Yes

Microsoft.Network/networkInterfaces/read

Yes

Microsoft.Network/networkInterfaces/write

Yes

Microsoft.Network/networkInterfaces/join/action

Yes

Microsoft.Network/networkSecurityGroups/read

Yes

Microsoft.Network/networkSecurityGroups/write

Yes

Microsoft.Resources/subscriptions/locations/read

Yes

Microsoft.Network/locations/operationResults/read

Yes

Microsoft.Network/locations/operations/read

Yes

Microsoft.Network/virtualNetworks/read

Yes

Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read

Yes

Microsoft.Network/virtualNetworks/subnets/read

Yes

Microsoft.Network/virtualNetworks/subnets/virtualMachines/read

Yes

Microsoft.Network/virtualNetworks/virtualMachines/read

Yes

Microsoft.Network/virtualNetworks/subnets/join/action

Yes

Microsoft.Network/virtualNetworks/subnets/write

Yes

Microsoft.Network/routeTables/join/action

Yes

Microsoft.Resources/deployments/operations/read

Yes

Microsoft.Resources/deployments/read

Yes

Microsoft.Resources/deployments/write

Yes

Microsoft.Resources/resources/read

Yes

Microsoft.Resources/subscriptions/operationresults/read

Yes

Microsoft.Resources/subscriptions/resourceGroups/delete

Yes

Microsoft.Resources/subscriptions/resourceGroups/read

Yes

Microsoft.Resources/subscriptions/resourcegroups/resources/read

Yes

Microsoft.Resources/subscriptions/resourceGroups/write

Yes

Cloud Volumes ONTAP

The agent makes the following API requests to deploy and manage Cloud Volumes ONTAP in Azure.

Purpose	Action	Used for deployment?	Used for daily operations?	Used for deletion?
Create and manage VMs	Microsoft.Compute/locations/operations/read	Yes	Yes	No
Microsoft.Compute/locations/vmSizes/read	Yes	Yes	No
Microsoft.Resources/subscriptions/locations/read	Yes	No	No
Microsoft.Compute/operations/read	Yes	Yes	No
Microsoft.Compute/virtualMachines/instanceView/read	Yes	Yes	No
Microsoft.Compute/virtualMachines/powerOff/action	Yes	Yes	No
Microsoft.Compute/virtualMachines/read	Yes	Yes	No
Microsoft.Compute/virtualMachines/restart/action	Yes	Yes	No
Microsoft.Compute/virtualMachines/start/action	Yes	Yes	No
Microsoft.Compute/virtualMachines/deallocate/action	No	Yes	Yes
Microsoft.Compute/virtualMachines/vmSizes/read	No	Yes	No
Microsoft.Compute/virtualMachines/write	Yes	Yes	No
Microsoft.Compute/virtualMachines/delete	Yes	Yes	Yes
Microsoft.Resources/deployments/delete	Yes	No	No
Enable deployment from a VHD	Microsoft.Compute/images/read	Yes	No	No
Microsoft.Compute/images/write	Yes	No	No
Create and manage network interfaces in the target subnet	Microsoft.Network/networkInterfaces/read	Yes	Yes	No
Microsoft.Network/networkInterfaces/write	Yes	Yes	No
Microsoft.Network/networkInterfaces/join/action	Yes	Yes	No
Microsoft.Network/networkInterfaces/delete	Yes	Yes	No
Create and manage network security groups	Microsoft.Network/networkSecurityGroups/read	Yes	Yes	No
Microsoft.Network/networkSecurityGroups/write	Yes	Yes	No
Microsoft.Network/networkSecurityGroups/join/action	Yes	No	No
Microsoft.Network/networkSecurityGroups/delete	No	Yes	Yes
Get network information about regions, the target VNet and subnet, and add the VMs to VNets	Microsoft.Network/locations/operationResults/read	Yes	Yes	No
Microsoft.Network/locations/operations/read	Yes	Yes	No
Microsoft.Network/virtualNetworks/read	Yes	No	No
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read	Yes	No	No
Microsoft.Network/virtualNetworks/subnets/read	Yes	Yes	No
Microsoft.Network/virtualNetworks/subnets/virtualMachines/read	Yes	Yes	No
Microsoft.Network/virtualNetworks/virtualMachines/read	Yes	Yes	No
Microsoft.Network/virtualNetworks/subnets/join/action	Yes	Yes	No
Create and manage resource groups	Microsoft.Resources/deployments/operations/read	Yes	Yes	No
Microsoft.Resources/deployments/read	Yes	Yes	No
Microsoft.Resources/deployments/write	Yes	Yes	No
Microsoft.Resources/resources/read	Yes	Yes	No
Microsoft.Resources/subscriptions/operationresults/read	Yes	Yes	No
Microsoft.Resources/subscriptions/resourceGroups/delete	Yes	Yes	Yes
Microsoft.Resources/subscriptions/resourceGroups/read	No	Yes	No
Microsoft.Resources/subscriptions/resourcegroups/resources/read	Yes	Yes	No
Microsoft.Resources/subscriptions/resourceGroups/write	Yes	Yes	No
Manage Azure storage accounts and disks	Microsoft.Compute/disks/read	Yes	Yes	Yes
Microsoft.Compute/disks/write	Yes	Yes	No
Microsoft.Compute/disks/delete	Yes	Yes	Yes
Microsoft.Storage/checknameavailability/read	Yes	Yes	No
Microsoft.Storage/operations/read	Yes	Yes	No
Microsoft.Storage/storageAccounts/listkeys/action	Yes	Yes	No
Microsoft.Storage/storageAccounts/read	Yes	Yes	No
Microsoft.Storage/storageAccounts/delete	No	Yes	Yes
Microsoft.Storage/storageAccounts/write	Yes	Yes	No
Microsoft.Storage/usages/read	No	Yes	No
Enable backups to Blob storage and encryption of storage accounts	Microsoft.Storage/storageAccounts/blobServices/containers/read	Yes	Yes	No
Microsoft.KeyVault/vaults/read	Yes	Yes	No
Microsoft.KeyVault/vaults/accessPolicies/write	Yes	Yes	No
Enable VNet service endpoints for data tiering	Microsoft.Network/virtualNetworks/subnets/write	Yes	Yes	No
Microsoft.Network/routeTables/join/action	Yes	Yes	No
Create and manage Azure managed snapshots	Microsoft.Compute/snapshots/write	Yes	Yes	No
Microsoft.Compute/snapshots/read	Yes	Yes	No
Microsoft.Compute/snapshots/delete	No	Yes	Yes
Microsoft.Compute/disks/beginGetAccess/action	No	Yes	No
Create and manage availability sets	Microsoft.Compute/availabilitySets/write	Yes	No	No
Microsoft.Compute/availabilitySets/read	Yes	No	No
Enable programmatic deployments from the marketplace	Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read	Yes	No	No
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write	Yes	Yes	No
Manage a load balancer for HA pairs	Microsoft.Network/loadBalancers/read	Yes	Yes	No
Microsoft.Network/loadBalancers/write	Yes	No	No
Microsoft.Network/loadBalancers/delete	No	Yes	Yes
Microsoft.Network/loadBalancers/backendAddressPools/read	Yes	No	No
Microsoft.Network/loadBalancers/backendAddressPools/join/action	Yes	No	No
Microsoft.Network/loadBalancers/frontendIPConfigurations/read	Yes	Yes	No
Microsoft.Network/loadBalancers/loadBalancingRules/read	Yes	No	No
Microsoft.Network/loadBalancers/probes/read	Yes	No	No
Microsoft.Network/loadBalancers/probes/join/action	Yes	No	No
Enable management of locks on Azure disks	Microsoft.Authorization/locks/*	Yes	Yes	No
Enable private endpoints for HA pairs when there's no connectivity outside the subnet	Microsoft.Network/privateEndpoints/write	Yes	Yes	No
Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action	Yes	No	No
Microsoft.Storage/storageAccounts/privateEndpointConnections/read	Yes	Yes	Yes
Microsoft.Network/privateEndpoints/read	Yes	Yes	Yes
Microsoft.Network/privateDnsZones/write	Yes	Yes	No
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write	Yes	Yes	No
Microsoft.Network/virtualNetworks/join/action	Yes	Yes	No
Microsoft.Network/privateDnsZones/A/write	Yes	Yes	No
Microsoft.Network/privateDnsZones/read	Yes	Yes	No
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read	Yes	Yes	No
Required for some VM deployments, depending on the underlying physical hardware	Microsoft.Resources/deployments/operationStatuses/read	Yes	Yes	No
Remove resources from a resource group in case of deployment failure or deletion	Microsoft.Network/privateEndpoints/delete	Yes	Yes	No
Microsoft.Compute/availabilitySets/delete	Yes	Yes	No
Enable the use of customer-managed encryption keys when using the API	Microsoft.Compute/diskEncryptionSets/read	Yes	Yes	Yes
Microsoft.Compute/diskEncryptionSets/write	Yes	Yes	No
Microsoft.KeyVault/vaults/deploy/action	Yes	No	No
Microsoft.Compute/diskEncryptionSets/delete	Yes	Yes	Yes
Configure an application security group for an HA pair to isolate the HA interconnect and cluster network NICs	Microsoft.Network/applicationSecurityGroups/write	No	Yes	No
Microsoft.Network/applicationSecurityGroups/read	No	Yes	No
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action	No	Yes	No
Microsoft.Network/networkSecurityGroups/securityRules/write	Yes	Yes	No
Microsoft.Network/applicationSecurityGroups/delete	No	Yes	Yes
Microsoft.Network/networkSecurityGroups/securityRules/delete	No	Yes	Yes
Read, write, and delete tags associated with Cloud Volumes ONTAP resources	Microsoft.Resources/tags/read	No	Yes	No
Microsoft.Resources/tags/write	Yes	Yes	No
Microsoft.Resources/tags/delete	Yes	No	No
Encrypt storage accounts during creation	Microsoft.ManagedIdentity/userAssignedIdentities/assign/action	Yes	Yes	No
Use Virtual Machine Scale Sets in Flexible orchestration mode in order to specify specific zones for Cloud Volumes ONTAP	Microsoft.Compute/virtualMachineScaleSets/write	Yes	No	No
Microsoft.Compute/virtualMachineScaleSets/read	Yes	No	No
Microsoft.Compute/virtualMachineScaleSets/delete	No	No	Yes

Purpose

Action

Used for deployment?

Used for daily operations?

Used for deletion?

Create and manage VMs

Microsoft.Compute/locations/operations/read

Yes

Microsoft.Compute/locations/vmSizes/read

Yes

Microsoft.Resources/subscriptions/locations/read

Yes

Microsoft.Compute/operations/read

Yes

Microsoft.Compute/virtualMachines/instanceView/read

Yes

Microsoft.Compute/virtualMachines/powerOff/action

Yes

Microsoft.Compute/virtualMachines/read

Yes

Microsoft.Compute/virtualMachines/restart/action

Yes

Microsoft.Compute/virtualMachines/start/action

Yes

Microsoft.Compute/virtualMachines/deallocate/action

Yes

Microsoft.Compute/virtualMachines/vmSizes/read

Yes

Microsoft.Compute/virtualMachines/write

Yes

Microsoft.Compute/virtualMachines/delete

Yes

Microsoft.Resources/deployments/delete

Yes

Enable deployment from a VHD

Microsoft.Compute/images/read

Yes

Microsoft.Compute/images/write

Yes

Create and manage network interfaces in the target subnet

Microsoft.Network/networkInterfaces/read

Yes

Microsoft.Network/networkInterfaces/write

Yes

Microsoft.Network/networkInterfaces/join/action

Yes

Microsoft.Network/networkInterfaces/delete

Yes

Create and manage network security groups

Microsoft.Network/networkSecurityGroups/read

Yes

Microsoft.Network/networkSecurityGroups/write

Yes

Microsoft.Network/networkSecurityGroups/join/action

Yes

Microsoft.Network/networkSecurityGroups/delete

Yes

Get network information about regions, the target VNet and subnet, and add the VMs to VNets

Microsoft.Network/locations/operationResults/read

Yes

Microsoft.Network/locations/operations/read

Yes

Microsoft.Network/virtualNetworks/read

Yes

Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read

Yes

Microsoft.Network/virtualNetworks/subnets/read

Yes

Microsoft.Network/virtualNetworks/subnets/virtualMachines/read

Yes

Microsoft.Network/virtualNetworks/virtualMachines/read

Yes

Microsoft.Network/virtualNetworks/subnets/join/action

Yes

Create and manage resource groups

Microsoft.Resources/deployments/operations/read

Yes

Microsoft.Resources/deployments/read

Yes

Microsoft.Resources/deployments/write

Yes

Microsoft.Resources/resources/read

Yes

Microsoft.Resources/subscriptions/operationresults/read

Yes

Microsoft.Resources/subscriptions/resourceGroups/delete

Yes

Microsoft.Resources/subscriptions/resourceGroups/read

Yes

Microsoft.Resources/subscriptions/resourcegroups/resources/read

Yes

Microsoft.Resources/subscriptions/resourceGroups/write

Yes

Manage Azure storage accounts and disks

Microsoft.Compute/disks/read

Yes

Microsoft.Compute/disks/write

Yes

Microsoft.Compute/disks/delete

Yes

Microsoft.Storage/checknameavailability/read

Yes

Microsoft.Storage/operations/read

Yes

Microsoft.Storage/storageAccounts/listkeys/action

Yes

Microsoft.Storage/storageAccounts/read

Yes

Microsoft.Storage/storageAccounts/delete

Yes

Microsoft.Storage/storageAccounts/write

Yes

Microsoft.Storage/usages/read

Yes

Enable backups to Blob storage and encryption of storage accounts

Microsoft.Storage/storageAccounts/blobServices/containers/read

Yes

Microsoft.KeyVault/vaults/read

Yes

Microsoft.KeyVault/vaults/accessPolicies/write

Yes

Enable VNet service endpoints for data tiering

Microsoft.Network/virtualNetworks/subnets/write

Yes

Microsoft.Network/routeTables/join/action

Yes

Create and manage Azure managed snapshots

Microsoft.Compute/snapshots/write

Yes

Microsoft.Compute/snapshots/read

Yes

Microsoft.Compute/snapshots/delete

Yes

Microsoft.Compute/disks/beginGetAccess/action

Yes

Create and manage availability sets

Microsoft.Compute/availabilitySets/write

Yes

Microsoft.Compute/availabilitySets/read

Yes

Enable programmatic deployments from the marketplace

Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read

Yes

Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write

Yes

Manage a load balancer for HA pairs

Microsoft.Network/loadBalancers/read

Yes

Microsoft.Network/loadBalancers/write

Yes

Microsoft.Network/loadBalancers/delete

Yes

Microsoft.Network/loadBalancers/backendAddressPools/read

Yes

Microsoft.Network/loadBalancers/backendAddressPools/join/action

Yes

Microsoft.Network/loadBalancers/frontendIPConfigurations/read

Yes

Microsoft.Network/loadBalancers/loadBalancingRules/read

Yes

Microsoft.Network/loadBalancers/probes/read

Yes

Microsoft.Network/loadBalancers/probes/join/action

Yes

Enable management of locks on Azure disks

Microsoft.Authorization/locks/*

Yes

Enable private endpoints for HA pairs when there's no connectivity outside the subnet

Microsoft.Network/privateEndpoints/write

Yes

Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action

Yes

Microsoft.Storage/storageAccounts/privateEndpointConnections/read

Yes

Microsoft.Network/privateEndpoints/read

Yes

Microsoft.Network/privateDnsZones/write

Yes

Microsoft.Network/privateDnsZones/virtualNetworkLinks/write

Yes

Microsoft.Network/virtualNetworks/join/action

Yes

Microsoft.Network/privateDnsZones/A/write

Yes

Microsoft.Network/privateDnsZones/read

Yes

Microsoft.Network/privateDnsZones/virtualNetworkLinks/read

Yes

Required for some VM deployments, depending on the underlying physical hardware

Microsoft.Resources/deployments/operationStatuses/read

Yes

Remove resources from a resource group in case of deployment failure or deletion

Microsoft.Network/privateEndpoints/delete

Yes

Microsoft.Compute/availabilitySets/delete

Yes

Enable the use of customer-managed encryption keys when using the API

Microsoft.Compute/diskEncryptionSets/read

Yes

Microsoft.Compute/diskEncryptionSets/write

Yes

Microsoft.KeyVault/vaults/deploy/action

Yes

Microsoft.Compute/diskEncryptionSets/delete

Yes

Configure an application security group for an HA pair to isolate the HA interconnect and cluster network NICs

Microsoft.Network/applicationSecurityGroups/write

Yes

Microsoft.Network/applicationSecurityGroups/read

Yes

Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action

Yes

Microsoft.Network/networkSecurityGroups/securityRules/write

Yes

Microsoft.Network/applicationSecurityGroups/delete

Yes

Microsoft.Network/networkSecurityGroups/securityRules/delete

Yes

Read, write, and delete tags associated with Cloud Volumes ONTAP resources

Microsoft.Resources/tags/read

Yes

Microsoft.Resources/tags/write

Yes

Microsoft.Resources/tags/delete

Yes

Encrypt storage accounts during creation

Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

Yes

Use Virtual Machine Scale Sets in Flexible orchestration mode in order to specify specific zones for Cloud Volumes ONTAP

Microsoft.Compute/virtualMachineScaleSets/write

Yes

Microsoft.Compute/virtualMachineScaleSets/read

Yes

Microsoft.Compute/virtualMachineScaleSets/delete

Yes

Tiering

The agent makes the following API requests when you set up NetApp Cloud Tiering.

Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/locations/read

The Console agent makes the following API requests for daily operations.

Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/managementPolicies/read
Microsoft.Storage/storageAccounts/managementPolicies/write
Microsoft.Storage/storageAccounts/read

Change log

As permissions are added and removed, we'll note them in the sections below.

11 November 2025

The following permissions were removed from the JSON role example so that the example can reflect the minimum required permissions for Backup and Recovery:

Details

Microsoft.Compute/disks/delete
Microsoft.Compute/disks/read
Microsoft.Compute/disks/write
Microsoft.Compute/locations/operations/read
Microsoft.Compute/locations/vmSizes/read
Microsoft.Compute/operations/read
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/restart/action
Microsoft.Compute/virtualMachines/deallocate/action
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/vmSizes/read
Microsoft.Compute/virtualMachines/write
Microsoft.Compute/images/read
Microsoft.Network/locations/operationResults/read
Microsoft.Network/locations/operations/read
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/subnets/virtualMachines/read
Microsoft.Network/virtualNetworks/virtualMachines/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Resources/deployments/operations/read
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/resources/read
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/resourceGroups/delete
Microsoft.Storage/checknameavailability/read
Microsoft.Storage/operations/read
Microsoft.Storage/storageAccounts/delete
Microsoft.Storage/usages/read
Microsoft.Compute/snapshots/write
Microsoft.Compute/snapshots/read
Microsoft.Compute/availabilitySets/write
Microsoft.Compute/availabilitySets/read
Microsoft.Compute/disks/beginGetAccess/action
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write
Microsoft.Network/loadBalancers/read
Microsoft.Network/loadBalancers/write
Microsoft.Network/loadBalancers/delete
Microsoft.Network/loadBalancers/backendAddressPools/read
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Microsoft.Network/loadBalancers/loadBalancingRules/read
Microsoft.Network/loadBalancers/probes/read
Microsoft.Network/loadBalancers/probes/join/action
Microsoft.Authorization/locks/*
Microsoft.Network/routeTables/join/action
Microsoft.NetApp/netAppAccounts/read
Microsoft.NetApp/netAppAccounts/capacityPools/read
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/write
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read
Microsoft.NetApp/netAppAccounts/capacityPools/volumes/delete
Microsoft.Network/privateEndpoints/write
Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action
Microsoft.Storage/storageAccounts/privateEndpointConnections/read
Microsoft.Network/privateEndpoints/read
Microsoft.Network/privateDnsZones/write
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
Microsoft.Network/virtualNetworks/join/action
Microsoft.Network/privateDnsZones/A/write
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Resources/deployments/operationStatuses/read
Microsoft.Insights/Metrics/Read
Microsoft.Compute/virtualMachines/extensions/write
Microsoft.Compute/virtualMachines/extensions/delete
Microsoft.Compute/virtualMachines/extensions/read
Microsoft.Compute/virtualMachines/delete
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkSecurityGroups/delete
Microsoft.Resources/deployments/delete
Microsoft.Compute/diskEncryptionSets/read
Microsoft.Compute/snapshots/delete
Microsoft.Network/privateEndpoints/delete
Microsoft.Compute/availabilitySets/delete
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/accessPolicies/write
Microsoft.Compute/diskEncryptionSets/write
Microsoft.KeyVault/vaults/deploy/action
Microsoft.Compute/diskEncryptionSets/delete
Microsoft.Resources/tags/read
Microsoft.Resources/tags/write
Microsoft.Resources/tags/delete
Microsoft.Network/applicationSecurityGroups/write
Microsoft.Network/applicationSecurityGroups/read
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action
Microsoft.Network/networkSecurityGroups/securityRules/write
Microsoft.Network/applicationSecurityGroups/delete
Microsoft.Network/networkSecurityGroups/securityRules/delete
Microsoft.Synapse/workspaces/write
Microsoft.Synapse/workspaces/read
Microsoft.Synapse/workspaces/delete
Microsoft.Synapse/register/action
Microsoft.Synapse/checkNameAvailability/action
Microsoft.Synapse/workspaces/operationStatuses/read
Microsoft.Synapse/workspaces/firewallRules/read
Microsoft.Synapse/workspaces/replaceAllIpFirewallRules/action
Microsoft.Synapse/workspaces/operationResults/read
Microsoft.Synapse/workspaces/privateEndpointConnectionsApproval/action
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Microsoft.Compute/images/write
Microsoft.Network/loadBalancers/frontendIPConfigurations/read
Microsoft.Compute/virtualMachineScaleSets/write
Microsoft.Compute/virtualMachineScaleSets/read
Microsoft.Compute/virtualMachineScaleSets/delete

The following permissions were added to the JSON role example:

Microsoft.Authorization/locks/write
Microsoft.Authorization/locks/read

The following permissions are no longer needed for Backup and Recovery unless you are using legacy indexing:

Microsoft.Synapse/workspaces/write
Microsoft.Synapse/workspaces/read
Microsoft.Synapse/workspaces/delete
Microsoft.Synapse/register/action
Microsoft.Synapse/checkNameAvailability/action
Microsoft.Synapse/workspaces/operationStatuses/read
Microsoft.Synapse/workspaces/firewallRules/read
Microsoft.Synapse/workspaces/replaceAllIpFirewallRules/action
Microsoft.Synapse/workspaces/operationResults/read
Microsoft.Synapse/workspaces/privateEndpointConnectionsApproval/action

The following permissions were moved to the "Additional Backup and Recovery permissions" section because they are not required for a minimal configuration:

Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/listAccountSas/action
Microsoft.Resources/subscriptions/locations/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourcegroups/resources/read
Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Storage/storageAccounts/managementPolicies/read
Microsoft.Storage/storageAccounts/managementPolicies/write
Microsoft.Authorization/locks/write
Microsoft.Authorization/locks/read

9 September 2024

The following permissions were removed from the JSON policy because the Console no longer supports discovery and management of Kubernetes clusters:

Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
Microsoft.ContainerService/managedClusters/read

22 August 2024

The following permissions were added to the JSON policy because they are required for Cloud Volumes ONTAP support of Virtual Machine Scale Sets:

Microsoft.Compute/virtualMachineScaleSets/write
Microsoft.Compute/virtualMachineScaleSets/read
Microsoft.Compute/virtualMachineScaleSets/delete

5 December 2023

The following permissions are no longer needed for NetApp Backup and Recovery when backing up volume data to Azure Blob storage:

Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/deallocate/action
Microsoft.Compute/virtualMachines/extensions/delete
Microsoft.Compute/virtualMachines/delete

These permissions are required for other Console storage services, so they'll still remain in the custom role for the agent if you're using those other storage services.

12 May 2023

The following permissions were added to the JSON policy because they are required for Cloud Volumes ONTAP management:

Microsoft.Compute/images/write
Microsoft.Network/loadBalancers/frontendIPConfigurations/read

The following permissions were removed from the JSON policy because they are no longer required:

Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Network/publicIPAddresses/delete

23 March 2023

The "Microsoft.Storage/storageAccounts/delete" permission is no longer needed for Data Classification.

This permission is still required for Cloud Volumes ONTAP.

5 January 2023

The following permissions were added to the JSON policy:

Microsoft.Storage/storageAccounts/listAccountSas/action
Microsoft.Synapse/workspaces/privateEndpointConnectionsApproval/action

These permissions are required for NetApp Backup and Recovery.
Microsoft.Network/loadBalancers/backendAddressPools/join/action

This permission is required for Cloud Volumes ONTAP deployment.