You need to attach roles to the NAS proxy (Azure virtual machine) that runs the NAS agent. These roles are essential for executing the Azure APIs required for operations such as listing, reading, and writing to Azure Blobs.

Once the custom role is attached to the virtual machine, the necessary permissions for the Azure SDK are fetched from the Azure virtual machine instance's metadata service, allowing the NAS agent to start backup and restore operations using the Azure APIs.

Roles and Permissions

The following table provides detailed information about the permissions allowed for roles:

Permission name	Description
`Microsoft.Storage/storageAccounts/write` `Microsoft.Storage/storageAccounts/read`	Permission to create and read/list storage accounts.
`Microsoft.Storage/storageAccounts/blobServices/containers/write` `Microsoft.Storage/storageAccounts/blobServices/containers/read`	Permission to manage the blob container.
`Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`	Permission to backup and restore Azure blobs.
`Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read` `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write` `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action`	Permissions to manage tag information for listing blobs.
`Microsoft.Storage/storageAccounts/blobServices/containers/getAcl/action` `Microsoft.Storage/storageAccounts/blobServices/containers/setAcl/action`	Permission to get and set additional container and blob properties.

You must attach the custom role to the virtual machine with the above Azure permissions. For more information, see prerequisites section.

File Level Restore for Azure Virtual Machines

Introduction to Data Protection for Azure Blobs

System Requirements and Prerequisites for Azure Blobs

Add a NAS device supporting Blob

Azure Blobs FAQs

Roles and Permissions for Azure Blobs

Roles and Permissions