The prerequisite installation and operating requirements for the Zerto Cloud Appliance (ZCA) version 8.0.x uses an Azure Managed Identity with specifically assigned permissions.
The ZCA must be enabled, and the permission level on the Azure subscription must be set to the following:
Owner or Contributor
Storage Blob Data Contributor
Storage Queue Data Contributor
Zerto has a reduced set of permissions available that are lower than the Contributor-level role for steady-state operations of Zerto 8.0.x. These specific permissions can be used to create a custom role in Azure for Zerto. These permissions should meet the higher-level security requirements of these environments.
For Zerto 8.0.x installations, the Contributor-level permissions, as detailed in the installation guide, are still required.
After successfully installing Zerto 8.x with the Contributor role permissions, reduce the permissions per Zerto’s updated guidance.
The permissions needed are available in .json format and located here.
Edit the .json file and add in the subscriptions where the ZCA will run. The .json file is not just a permission object, it is the request body to create a role with the required permissions that will be assigned to the subscriptions listed in the file.
To create the custom role for the Zerto Cloud Appliance, review the steps in the Microsoft document "Create or update Azure custom roles using Azure PowerShell" and use the supplied JSON file as the template described in the 'Create a Custom Role with a JSON Template’ section.
This procedure only applies to version 8.0 and all of its updates. This procedure does not work with Zerto (ZVR) version 7.5. These permissions are planned to be integrated into the installer in a future version of Zerto (ZVR) and this procedure will be obsolete once that occurs.
You may apply this procedure to any 8.0 ZCA, regardless if it is a fresh installation or an upgrade, and it is acceptable for sites to be paired and replication to be occurring.
For additional questions, please reach out to your account team for further clarification.