Backup & Disaster Recovery

How to create a custom role for ANF snapshots

I think we can all agree that Azure NetApp Files snapshots are a very powerful tool when it comes to backup and restore, Disaster Recovery and Business Continuity. A great use case is refreshing your Dev/Test environment with Production data in a matter of seconds.

For automating or delegating these tasks, it’s good practice to create a so-called non-privileged account a.k.a. least privilege access. In this article we’ll explain how to create a custom role that allows to read, write and delete ANF snapshots and how to apply this role to a Service Principal in Azure.

Before we start, please note the following requirements.

  1. Custom roles require Azure AD P1 or P2
  2. To Setup the Service Principal you need to be a member of either the Owner or User Access Administrator role

Step 1: create Service Principal
Open the Azure Cloud Shell and enter the following command.
az ad sp create-for-rbac --name ServicePrincipalANFsnapshot

create Service Principal

Save the output, since it contains the password and appId (needed in step 4). Also, keep in mind the Service Principal is a contributor (default) at this point.

Step 2: create custom role .json
Creating custom roles from the Azure Portal is limited, so we need to create a .json file that describes the role. Create ANFsnapshots.json with the following contents and upload the file to your Cloud Shell. Replace insert_sub_id_here with your subscription ID.

		  "Name": "ANF snapshots",
		  "IsCustom": true,
		  "Description": "Read, write and delete ANF snapshots.",
		  "Actions": [
		  "NotActions": [],
		  "DataActions": [],
		  "NotDataActions": [],
		  "AssignableScopes": [

As you can see, all actions belonging to /snapshots/* are included. This effectively means the following three actions are allowed.


Step 3: create custom role from .json
Execute the following command and point to the .json file created in step 2. This will create the custom role from the .json input.
New-AzRoleDefinition -InputFile "ANFsnapshots.json"

create custom role from .json

Step 4: assign role to service principal
First we remove the default contributor role. Replace “insert_app_id” with the corresponding value from step 1.
az role assignment delete --assignee "insert_app_id" --role Contributor

We now assign the custom role to the Service Principal. Again, replace “insert_app_id.
az role assignment create --assignee "insert_app_id" --role "ANF snapshots"

assign the custom role to the Service Principal

Congratulations, your Service Principal with the custom ANF snapshot role is now ready for use!

N.B. Please note that the custom role does not show up in the Azure Portal. You can list all custom roles by running the following command.
az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}'


  1. Hi Rutger,

    It seems in the Custom Role, additionally we need to also provide read access to Capacity pools and Volumes as below:

    Error: When Taking Snapshot:
    Error message: The client ‘6e15ae14-763d-446c-a1ea-40f00658840f’ with object id ‘6e15ae14-763d-446c-a1ea-40f00658840f’ does not have authorization to perform action ‘Microsoft.NetApp/netAppAccounts/capacityPools/read’ over scope ‘/subscriptions/3af3b1d7-1863-4cdb-b69c-38fd1179119c/resourceGroups

    Solution: Add Additional Permission to Custom Role


Leave a Reply

%d bloggers like this: