Azure Backup: Recover Files without Permission to Modify Settings

Question

Azure Backup: Recover Files without Permission to Modify Settings

Branden Willis 20

We have an ask from a client: They want permissions configured on their Azure tenant such that only a specified break-glass account would have the capability to modify settings on their backups. (Primarily AFS and VMs). The idea being to prevent something where a backup policy gets modified, either accidentally or maliciously, resulting in deletion of historical recovery points.

That being said, the IT staff needs to be able to retain the ability to carry out file recoveries and such from those same backups.

Per my research, Roles are assigned at the Vault level, and you can't get any more granular than that. Modifying the policies would require Backup Contributor or Backup Operator role. But I found that "To restore backups in Azure, you'll generally need either the Backup Contributor or Backup Operator role, depending on the specific resource and operation." So assigning the IT staff the Backup Reader role only would prevent access to modify policies, but would also prevent them from being able to do their jobs.

There's probably something obvious that I'm missing.

Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2025-06-18T19:12:27.18+00:00

Hi Branden Willis
I just wanted to check if the above provided information worked for you or if you need any further assistance?

Please feel free to let us know, as we are always here to help whenever you need us.

Additionally, if you have a moment, please do Upvote if the information provided has been helpful. This can be beneficial to other community members and would be greatly appreciated. Thank you.
Branden Willis 20 Reputation points

2025-06-18T19:50:35.58+00:00

@Pranay Reddy Madireddy My own research had been indicating that the Backup Operator role could still effect policies. So you steered me straight in that regard, thanks.

My next issue is that the Vault is currently inheriting 38 Role assignments from elsewhere in the Subscription. Near as I can tell, officially there's no way to block inheritance in the manner that you would with NTFS permissions on a folder, so I either need to go crazy with the explicit Deny's, or I need to restructure the entire organization's role assignment strategy.
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2025-06-18T20:00:34.91+00:00

Hi @Branden Willis
Azure role-based access control (RBAC) does not allow for blocking inheritance of role assignments in the same way that NTFS permissions do. Instead, Azure RBAC relies on a hierarchical model where role assignments can be inherited from parent scopes (like subscriptions or resource groups).

To manage permissions effectively, you may need to consider restructuring your role assignment strategy to ensure that users have the appropriate access without the need for excessive explicit denies. This could involve creating custom roles or assigning roles at different scopes to limit the inherited permissions.

https://learn.microsoft.com/en-us/azure/backup/guidance-best-practices#encryption-of-data-in-transit-and-at-rest
Kindly let us know if the above helps or you need further assistance on this issue.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2025-06-19T18:23:20.8533333+00:00

Hi @Branden Willis
I just wanted to check if the above provided information worked for you or if you need any further assistance?

Please feel free to let us know, as we are always here to help whenever you need us.

Additionally, if you have a moment, please do ''accept answer'' if the information provided has been helpful. This can be beneficial to other community members and would be greatly appreciated.
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2025-06-20T18:27:20.0066667+00:00

Hi @Branden Willis

I just wanted to check if the above provided information worked for you or if you need any further assistance?

Please feel free to let us know, as we are always here to help whenever you need us.

Additionally, if you have a moment, please do ''accept answer'' if the information provided has been helpful. This can be beneficial to other community members and would be greatly appreciated.

Accepted answer

0 additional answers

Your answer

Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2025-06-18T19:12:27.18+00:00

Hi Branden Willis
I just wanted to check if the above provided information worked for you or if you need any further assistance?

Please feel free to let us know, as we are always here to help whenever you need us.

Additionally, if you have a moment, please do Upvote if the information provided has been helpful. This can be beneficial to other community members and would be greatly appreciated. Thank you.
Branden Willis 20 Reputation points

2025-06-18T19:50:35.58+00:00

@Pranay Reddy Madireddy My own research had been indicating that the Backup Operator role could still effect policies. So you steered me straight in that regard, thanks.

My next issue is that the Vault is currently inheriting 38 Role assignments from elsewhere in the Subscription. Near as I can tell, officially there's no way to block inheritance in the manner that you would with NTFS permissions on a folder, so I either need to go crazy with the explicit Deny's, or I need to restructure the entire organization's role assignment strategy.
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2025-06-18T20:00:34.91+00:00

Hi @Branden Willis
Azure role-based access control (RBAC) does not allow for blocking inheritance of role assignments in the same way that NTFS permissions do. Instead, Azure RBAC relies on a hierarchical model where role assignments can be inherited from parent scopes (like subscriptions or resource groups).

To manage permissions effectively, you may need to consider restructuring your role assignment strategy to ensure that users have the appropriate access without the need for excessive explicit denies. This could involve creating custom roles or assigning roles at different scopes to limit the inherited permissions.

https://learn.microsoft.com/en-us/azure/backup/guidance-best-practices#encryption-of-data-in-transit-and-at-rest
Kindly let us know if the above helps or you need further assistance on this issue.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2025-06-19T18:23:20.8533333+00:00

Hi @Branden Willis
I just wanted to check if the above provided information worked for you or if you need any further assistance?

Please feel free to let us know, as we are always here to help whenever you need us.

Additionally, if you have a moment, please do ''accept answer'' if the information provided has been helpful. This can be beneficial to other community members and would be greatly appreciated.
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator

2025-06-20T18:27:20.0066667+00:00

Hi @Branden Willis

I just wanted to check if the above provided information worked for you or if you need any further assistance?

Please feel free to let us know, as we are always here to help whenever you need us.

Additionally, if you have a moment, please do ''accept answer'' if the information provided has been helpful. This can be beneficial to other community members and would be greatly appreciated.

Answer 1

Hi @Branden Willis
Assign the Backup Contributor role to your designated Break-Glass account. This role provides full management capabilities over backup operations, including the ability to modify backup policies. It ensures that the account has sufficient privileges to respond to emergency situations effectively.

For your IT staff responsible for day-to-day backup and restore operations, assign the Backup Operator role. This role allows users to perform backup and restore actions—including file recovery—without the ability to alter backup policies. This helps safeguard your backup configurations against accidental or unauthorized changes.

If the built-in roles do not align perfectly with your requirements, consider creating a custom role. This custom role can be tailored to provide specific permissions, such as the ability to recover files, while explicitly denying the ability to change backup policies. This ensures tighter control over your backup environment.

By carefully applying these RBAC roles, you can strike the right balance between operational flexibility for your IT staff and the security of your backup configurations.

https://learn.microsoft.com/en-us/azure/backup/backup-rbac-rs-vault
https://learn.microsoft.com/en-us/azure/backup/backup-rbac-rs-vault#minimum-role-requirements-for-azure-vm-backup

https://learn.microsoft.com/en-us/azure/backup/guidance-best-practices#security-considerations

Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Share via

Azure Backup: Recover Files without Permission to Modify Settings

0 additional answers

Your answer