Azure Account RBAC and Entra Roles Permissions required to Setup and Register ASR appliance to protect Onprem VMWare environments

Hello Anandha Chandrasekaran,

Greetings! Thanks for raising this question in Q&A forum.

These are really good clarifying questions and the Microsoft documentation on this topic can indeed be confusing. Let me break this down clearly for you one question at a time.

Question 1 — Is Owner permission on the subscription enough?

Yes, Owner on the subscription is sufficient for all Azure RBAC requirements. The documentation requires Contributor or Owner on the subscription, plus Owner or Contributor along with User Access Administrator to create the Key Vault used during registration. Since Owner already includes all of these permissions, you don't need any additional RBAC roles on the Azure side. You are fully covered.

Question 2 — Does Owner include Microsoft.OffAzure/ and Microsoft.Recoveryservices/?**

Yes, your assumption is correct. The required permissions listed — Microsoft.OffAzure/* and Microsoft.Recoveryservices/* — are the specific resource-level permissions the appliance needs to interact with the Recovery Services Vault and Azure Migrate infrastructure. The Owner role is a superset of all resource permissions including these two, so you are already covered here as well. No additional custom role is needed.

Question 3 — Is Cloud Application Administrator enough to register Entra apps?

Yes, Cloud Application Administrator is sufficient to register Entra apps. The document mentions two possible paths:

• If the App registrations setting in Entra ID User Settings is set to Yes (which is the default for most tenants), then any user — including you — can register apps without needing any special Entra role at all.
• If that setting has been turned No by your tenant admin (a common security hardening step in enterprise tenants), then you need an Entra role that allows app registration. Cloud Application Administrator covers this scenario perfectly and is the right role to have.

Why does the ASR Appliance register an Entra App — and what is that step in the doc about?

This is the most confusing part, so here's a plain explanation. During registration, the ASR replication appliance creates an Azure AD (Entra) app registration in your tenant. This app acts as the secure identity the appliance uses to authenticate with Azure services including the Recovery Services Vault, Key Vault, and storage accounts without using your personal credentials permanently. Think of it like the appliance getting its own service identity so it can talk to Azure securely on an ongoing basis after setup is complete.

The step in the document that asks you to check Microsoft Entra ID → Users → User Settings → App registrations is simply verifying that your tenant allows this app registration to happen. If it's set to Yes, you're fine. If it's set to No, a Global Admin needs to either flip it back to Yes or explicitly grant your account the ability to register apps.

One additional note worth calling out — if multiple users are configuring appliances registered to the same Recovery Services Vault, each user should be added as an Owner to the Entra AAD app of that vault. You can do this in Azure Portal under App registrations → search for the vault's AAD app → Manage → Owners → Add Owners. This is easy to miss and can cause permission failures when a second person tries to register another appliance to the same vault.

To summarize: your current combination of Owner on the subscription plus Cloud Application Administrator Entra role is fully sufficient to deploy and register the ASR appliance for VMware protection. You don't need anything more.

If this answer helps you kindly accept the answer which will help others who have similar questions.

Best Regards,

Jerald Felix.