Article number
Affected Versions
Source Hypervisor
Target Hypervisor

Granular Roles and Permission for Azure

Viewed 974 times


When performing any account related operation, such as creating Storage Account, or compute operation, such as creating a Virtual Machine, the request needs to be authenticated by a Service Principal object in the subscription’s Azure Active Directory. 

The Service Principal object can be of 3 types: 

  • User in the Active Directory. 

  • Registered application in the Active Directory. 

  • A Managed Identity in the Active Directory. 

There are 2 types of Managed Identities: 

  • System-Assigned Managed Identity 

  • A System assigned managed identity is bound to a specific Azure resource, for example a Virtual Machine, and has the same life cycle. 

  • User-Assigned Managed Identity 

  • A User-Assigned Managed Identity can be applied to multiple Azure resources, within a Subscription, and has an independent life cycle. 

In 8.0, Zerto choose to use a User-Assigned Managed Identity that is applied to the ZCA virtual machine. 

When using a Managed Identity for authentication, Azure checks two things for every operation. 

  1. The resource that created the request (the ZCA) is given an identity. 

  1. The roles set for identity are enough for the operation. 

If one of the two is not set, the operation will fail. 

Before installing Zerto, the Managed Identity must be created and configured with the required permissions, and then applied to the ZCA Virtual Machine.


When installing ZCA, Zerto requires applying the following roles to the ZCA’s identity:

  • Owner or Contributor.

  • Storage Blob Data Contributor.

  • Storage Queue Data Contributor.

Those roles allow applications that have them assigned to perform additional operations that are not needed for ZCA functionality. A custom role was created which only has the minimum permissions required in the Subscription for ZCA functionality.

If you prefer to configure the custom role using Azure Powershell and a pre-configured JSON, you can follow this guide:

To create and assign the custom role via the Azure Portal, you can follow below: 

Navigate to All Services and click Subscriptions. 


Select the Subscription to which the ZCA is associated. 

Navigate to Access control (IAM) and click Roles 


Click on Add and select Add custom role 


The customer defines a Custom Role using the permissions listed in Zerto - Prerequisites & Requirements for Microsoft Azure Environments, in the section Minimum Required Azure Permissions 

Paste the permissions from the JSON format located here into the permissions section in the JSON tab 


Or add them using the Permissions tab. 


The custom role is created in Azure Active Directory (AAD).  If ZCAs exist on multiple Subscriptions under the same Tenant, the custom role only needs to be created once and then assigned to all the needed subscriptions under assignableScopes in the JSON tab or adding them in Assignable scopes tab. 


The role can use any name desired, as Zerto is only validating that the role was assigned by the actions defined in the role, not by the name. 


Attach the created role to the identity 

Just like in previous versions, the role must be assigned to the identity set on the ZCA VM,. The only difference is that instead of applying the 3 built-in roles 

  1. Owner or Contributor. 

  1. Storage Blob Data Contributor. 

  1. Storage Queue Data Contributor. 

Only the custom role must be added. 

To attach the custom role: 

Navigate to All Services and click Subscriptions. 


Select the Subscription to which the ZCA is associated. 

Navigate to Access control (IAM) and click Add on Add a Role assignment 


In the Add role assignment window, configure the following: 

Role: <the custom role name> 

Assign access to: User Assigned Managed Identity 

Subscription: The subscription to which the ZCA is associated. 

Select: Select the User-Assigned Managed Identity. 

And click Save. 

The user can continue with the installation.