The Azure built-in role "Reader" has no default access to the Storage Account keys which are required for collecting data about VHDs, therefore another custom Role should be created.

Create a Custom Role

You need to have Owner or User Access Administrator permissions to create custom roles.

1. In the Azure portal, open a subscription or a resource group where a custom role is to be assigned to.

2. Open 'Access control (IAM)'. Click Add → Add custom role. Name the role CloudAware Custom Policy.

3. Select one of the following options to proceed:

a) 'Start from scratch'. Open the tab Permissions → Add permissions. Copy and paste Microsoft.Storage/storageAccounts/listKeys/action in the Search for a permission box to select Microsoft Storage. Check the box near the permission. Click Add.

The permission Microsoft.Storage/storageAccounts/listKeys/action grants 'read' access to Storage Account Keys. 

If you are planning to install Breeze Agent, the permission Microsoft.Compute/virtualMachines/extensions/write is required for this custom role as well.

b) 'Start from JSON'. Use the JSON template below. Fill your subscription id in the {subscription_id} field.

  "IsCustom": true,
  "Name": "CloudAware Collector Extended",
  "Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default role Reader does not provide API access to these keys.",
  "Actions": [
  "notActions": [],
  "assignableScopes": [

c) 'Clone a role'. Select one* of the existing roles.

*Commonly used Azure built-in roles:

Built-in Role






Virtual Machine Contributor


Virtual Network Contributor


Storage Account Contributor


Web Plan Contributor


SQL server Contributor


SQL DB Contributor


Read more

Open the tab 'JSON' to check and modify the permissions (see 3 a) if necessary. The JSON body of the existing role should look like in the template below:

  "name": "{your-existing-Role-definition-id}",
  "permissions": [
      "actions": [
      "notActions": []
  "AssignableScopes": [
  "RoleName": "{your-Role-name}",
  "RoleType": "CustomRole",
  "type": "Microsoft.Authorization/RoleDefinitions"

Replace {your-existing-Role-definition-id} with your role definition id. In the section "AssignableScopes" add the string "/subscriptions/{subscription-id}" with your {subscription-id}.

4. Assign the custom role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API.

Custom role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place.

5. Open the tab 'Review + Create'. Check the role details and click Create.

Update an Existing Cloudaware Custom Policy

Cloudaware may regularly introduce new capabilities which require addition of new actions and permissions. In cases a Cloudaware custom role already exists, you can update this role without updating it for every subscription. If updating an existing Cloudaware Custom Policy role is required, your Technical Account manager will provide you with instructions on how to perform this action.

Custom role creation in Azure Portal is an asynchronous operation. This means that a time lag may take place between the creation of a role and time when this role becomes available.