Skip to main content

Netskope Help

Limit permissions for Forensics to Azure Storage Account

After you have added the Azure subscription instance for Forensics to the Netskope tenant, you can limit Netskope's permissions to a storage account. To do this you must remove the existing custom role assigned to the subscription and create a new custom role for the storage account. You must retain the inbuilt Reader Role permission for the subscription. The purpose of the inbuilt reader role is available in Step 2/3: Assign Azure permissions to store forensic objects.

To remove the custom role created for the subscription,

  1. Log in to and navigate to All services > General > Subscriptions.

  2. On the Subscriptions page, click the appropriate subscription from the list.

  3. Click Access control (IAM).

  4. Click the Role assignments tab and select the custom role you created.

  5. Click Remove from the menu on the top of the page.

  6. Click Yes in the remove role assignment message window.

To create a new custom role for the storage account,

  1. Create a custom_role.json file with the following schema.

    "Name": "customforensic1",
    "Description": "forensic SA",
    "Actions": [
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": [
    <Azure resource id of the storage account>
  2. Log into Azure CLI by running the command az login.

  3. Create the custom role definition by running the following CLI command.

    az role definition create --role-definition custom_role.json
  4. Log in to and navigate to All services > Storage > Storage accounts.

  5. On the Storage accounts page, click the appropriate storage account.

  6. Click + Add > Add role assignment.

  7. Under Roles, select the custom role defined in custom_role.json file, customforensic1.

  8. Keep the Assign access to User, group, or service principal.

  9. Under Select search for the name of the app registration used to Netskope instance setup and select it.

  10. Click Save.