Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. IT Analytics Help
  3. Section XII. Cloud
  4. Configuration for Microsoft Azure
  5. Create a principal and assign role to the application

Create a principal and assign role to the application

To enable access rights to the subscription, assign a combination of the Reader role and a custom Azure Storage read-only RBAC role to the application.

To create a combination of Reader and RBAC role for access:

  1. Create a Principal for the application:
    New-AzureRmADServicePrincipal -ApplicationId <APPLICATIONID>
  2. Assign a Reader role ot the application. This role is required for Azure Resource Manager (ARM) discovery.
    New-AzureRmRoleAssignment `
    -RoleDefinitionName Reader `
    -ServicePrincipalName <APPLICATIONID> `
    -Scope "/subscriptions/<SubscriptionID>"
  3. Create a .json file template with the required permissions. The permissions set in this template ensure read-only access to Azure Storage services using RBAC. Storage Account keys are no used.
    { 
    "Name": "<Role-Name>", 
    "Id": null, 
    "IsCustom": true, 
    "Description": "<Role Description>", 
    "Actions": [ "Microsoft.Storage/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read" ], 
    "NotActions": [], 
    "DataActions": [ "Microsoft.Storage/*/read" ], 
    "NotDataActions": [], 
    "AssignableScopes": [ "/subscriptions/<Subscription ID>" ] 
    }
  4. Create a custom role with .json file template .
    New-AzRoleDefinition -InputFile "C:\CustomRoles\customrole.json"
  5. Assign the custom role to the application.
    New-AzureRmRoleAssignment `
    -RoleDefinitionName <customRoleName> `
    -ServicePrincipalName <APPLICATIONID> `
    -Scope "/subscriptions/<SubscriptionID>"
     
  6. Add below advance parameter in IT Analytics.
    • Parameter name: AZURE_STORAGE_AUTH_MODE

    • Parameter value: RBAC

Feedback

Was this page helpful?
Previous

Register a new application for the Data Collector

Next

Prerequisites for Adding Data Collectors (Microsoft Azure)

Feedback

Was this page helpful?