Share via

Minimum Azure RBAC permissions for NetApp cross-region replication via Terraform/Azure DevOps pipeline

Gavin Wun 25 Reputation points
2026-03-11T00:42:43.3333333+00:00

Hi,

I'm trying to scope down the permissions on an Azure DevOps service connection to the minimum required to set up Azure NetApp Files cross-region replication (Australia East → Australia Southeast) via Terraform.

Background

The service connection already has sufficient permissions on the primary (source) subscription to create and manage NetApp volumes. I just need to assign it the right custom role on the destination subscription so the pipeline can create the replication destination volume.

We are using NFSv3 (no SMB/AD DS requirements).

What I've tried

I've checked the following docs but neither explicitly lists the RBAC permissions required for data_protection_replication:

There is no built-in Azure role that covers this. Can anyone advise what permissions should be included in a custom role for the destination subscription?

Removed PII

Azure NetApp Files
Azure NetApp Files

An Azure service that provides enterprise-grade file shares powered by NetApp.

Answer accepted by question author
  1. Ravi Varma Mudduluru 9,825 Reputation points Microsoft External Staff Moderator
    2026-03-11T02:55:33.5733333+00:00

    Hello @Gavin Wun,

    Thanks for reaching out to Microsoft Q&A.

    As discussed, offline, when configuring Azure NetApp Files cross-region replication using Terraform, the service principal used by your Azure DevOps service connection must have permissions to both create the destination volume and manage replication operations on the destination subscription.

    Currently, there is no built-in Azure RBAC role specifically for Azure NetApp Files replication, so the recommended approach is to create a custom role with the minimum permissions required for volume management and replication actions.

    Minimum permissions to include in the custom role:

    You can include the following actions in the role definition for the destination subscription (or preferably scoped to the destination resource group or NetApp account) as per the below document.

    Reference document: https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftnetapp

    Ensure the following prerequisites are met for cross-region replication:

    • The destination NetApp account and capacity pool already exist.
    • The delegated subnet for Azure NetApp Files is configured in the destination region.
    • Both subscriptions are within the same Microsoft Entra tenant.

    Reference document:

    https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-create-peering
    https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.