If you are configuring Cloud Resolver in a high-availability cluster and storing the snapshot information in an Azure Blob storage, you must configure the following Service Principal or Managed Identity permissions to provide read and write access to the objects in the Blob storage.
For information on creating Service Principals, refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
For information on configuring Managed Identities, refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm
Cloud Resolver instances with the full role
If you are configuring a Cloud Resolver instance to operate with the full role, the Cloud Resolver instance must be able to read and write the snapshot in the Blob storage.
Cloud Resolver instances using Managed Identity permissions
dataActions permissions to the AAD roleMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Cloud Resolver instances using Service Principals
dataActions access rights within the tenant AAD:Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Once you have created the custom AAD role and assigned the permissions, add the role assignment to the Managed Identity and assign the Managed Identity to the platform where Cloud Resolver is installed.
Cloud Resolver instances with the resolver role
If you are configuring a Cloud Resolver instance to operate with the resolver role, the Cloud Resolver instance must be able to read and write the snapshot in the Blob storage.
Cloud Resolver instances using Managed Identity permissions
dataActions permission to the AAD roleMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/read
Cloud Resolver instances using Service Principals
dataActions access right within the tenant AAD:Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Once you have created the custom AAD role and assigned the permissions, add the role assignment to the Managed Identity and assign the Managed Identity to the platform where Cloud Resolver is installed.