What Azure RBAC permissions are required to backup and restore an Azure SQL Managed Instance?

Question

As a baseline, my role currently looks like this. Are there any permissions that are overloaded or unnecessary for these tasks?

{
  "Name": "Azure SQL Managed Instance Restore and Backup",
  "IsCustom": true,
  "Description": "Permissions requisite to permit backup and restore actions on an Azure SQL Managed Instance",
  "Actions": [
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/locations/instanceFailoverGroups/*",
        "Microsoft.Sql/managedInstances/*",
        "Microsoft.Network/virtualNetworks/subnets/*",
        "Microsoft.Network/virtualNetworks/*",
        "Microsoft.Network/networkSecurityGroups/*",
        "Microsoft.Network/routeTables/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*/read",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Support/*"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/<subscription-id>"
  ]
}

If my reply is helpful, please accept it, thank you. – Joy Wang Sep 16 '20 at 03:15 — Joy Wang, Sep 16 '20 at 03:15

score 0 · Answer 1 · answered Sep 08 '20 at 01:45

Just to the specific operations backup and restore an Azure SQL Managed Instance, the Microsoft.Sql/managedInstances/* action should be enough.

But from my experience, the actions may be used mixed sometimes, e.g. when you navigate to the SQL Managed Instance in the portal, you click the resource groups -> select the resouce group -> select the SQL Managed Instance, actually you used Microsoft.Resources/subscriptions/resourceGroups/read and Microsoft.Sql/managedInstances/* actions.

So in your case, I recommend you to use the role like below.

{
  "Name": "Azure SQL Managed Instance Restore and Backup",
  "IsCustom": true,
  "Description": "Permissions requisite to permit backup and restore actions on an Azure SQL Managed Instance",
  "Actions": [
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/locations/instanceFailoverGroups/*",
        "Microsoft.Sql/managedInstances/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/<subscription-id>"
  ]
}

What Azure RBAC permissions are required to backup and restore an Azure SQL Managed Instance?

1 Answers1