Creating Custom Role for Azure Account

In this article

    Granular permissions differ depending on whether you create an Azure Stack Hub account, or Azure Compute account using a new AD application, or Azure Compute account using an existing account.

    Permissions for Azure Compute Account (Existing Account) and Azure Stack Hub Account

    If you plan to add an Azure Stack Hub account or an Azure Compute account using an existing Azure AD user account (select the Use the existing account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:

    1. Run one of the following scripts in Azure PowerShell:

    Creating Custom Role for Azure AccountScript for Az PowerShell

    Import-Module Az.Resources

    $role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

    $role.Name = 'Veeam Restore Operator'

    $role.Description = 'Permissions for Veeam Restore to Microsoft Azure'

    $role.IsCustom = $true

    $permissions = @(

    'Microsoft.Storage/storageAccounts/listkeys/action',

    'Microsoft.Storage/storageAccounts/read',

    'Microsoft.Network/locations/checkDnsNameAvailability/read',

    'Microsoft.Network/virtualNetworks/read',

    'Microsoft.Network/virtualNetworks/subnets/join/action',

    'Microsoft.Network/publicIPAddresses/read',

    'Microsoft.Network/publicIPAddresses/write',

    'Microsoft.Network/publicIPAddresses/delete',

    'Microsoft.Network/publicIPAddresses/join/action',

    'Microsoft.Network/networkInterfaces/read',

    'Microsoft.Network/networkInterfaces/write',

    'Microsoft.Network/networkInterfaces/delete',

    'Microsoft.Network/networkInterfaces/join/action',

    'Microsoft.Network/networkSecurityGroups/read',

    'Microsoft.Network/networkSecurityGroups/write',

    'Microsoft.Network/networkSecurityGroups/delete',

    'Microsoft.Network/networkSecurityGroups/join/action',

    'Microsoft.Compute/locations/vmSizes/read',

    'Microsoft.Compute/locations/usages/read',

    'Microsoft.Compute/virtualMachines/read',

    'Microsoft.Compute/virtualMachines/write',

    'Microsoft.Compute/virtualMachines/delete',

    'Microsoft.Compute/virtualMachines/start/action',

    'Microsoft.Compute/virtualMachines/deallocate/action',

    'Microsoft.Compute/virtualMachines/instanceView/read',

    'Microsoft.Compute/virtualMachines/extensions/read',

    'Microsoft.Compute/virtualMachines/extensions/write',

    "Microsoft.Compute/virtualMachines/convertToManagedDisks/action",

    'Microsoft.Compute/disks/read',

    'Microsoft.Compute/disks/write',

    "Microsoft.Compute/disks/beginGetAccess/action",

    "Microsoft.Compute/disks/delete",

    "Microsoft.Compute/disks/endGetAccess/action"

    'Microsoft.Resources/checkResourceName/action',

    'Microsoft.Resources/subscriptions/resourceGroups/read',

    'Microsoft.Resources/subscriptions/resourceGroups/write',

    'Microsoft.Resources/subscriptions/locations/read')

    $role.Actions = $permissions

    $role.NotActions = (Get-AzRoleDefinition -Name 'Virtual Machine Contributor').NotActions

    $subs = '/subscriptions/00000000-0000-0000-0000-000000000000'  #use your subscription ID

    $role.AssignableScopes = $subs

    New-AzRoleDefinition -Role $role

    Note

    Mind the following:

    • You must use Connect-AzAccount and Get-AzSubscription to input the subscription ID within the script.
    • The script is provided for Az PowerShell module 6.0.0. The naming of commands may vary for other versions of Az PowerShell module.

    Creating Custom Role for Azure AccountScript for Legacy AzureRM PowerShell

    Import-Module AzureRm.Resources

    $role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

    $role.Name = 'Veeam Restore Operator'

    $role.Description = 'Permissions for Veeam Restore to Microsoft Azure'

    $role.IsCustom = $true

    $permissions = @(

    'Microsoft.Storage/storageAccounts/listkeys/action',

    'Microsoft.Storage/storageAccounts/read',

    'Microsoft.Network/locations/checkDnsNameAvailability/read',

    'Microsoft.Network/virtualNetworks/read',

    'Microsoft.Network/virtualNetworks/subnets/join/action',

    'Microsoft.Network/publicIPAddresses/read',

    'Microsoft.Network/publicIPAddresses/write',

    'Microsoft.Network/publicIPAddresses/delete',

    'Microsoft.Network/publicIPAddresses/join/action',

    'Microsoft.Network/networkInterfaces/read',

    'Microsoft.Network/networkInterfaces/write',

    'Microsoft.Network/networkInterfaces/delete',

    'Microsoft.Network/networkInterfaces/join/action',

    'Microsoft.Network/networkSecurityGroups/read',

    'Microsoft.Network/networkSecurityGroups/write',

    'Microsoft.Network/networkSecurityGroups/delete',

    'Microsoft.Network/networkSecurityGroups/join/action',

    'Microsoft.Compute/locations/vmSizes/read',

    'Microsoft.Compute/locations/usages/read',

    'Microsoft.Compute/virtualMachines/read',

    'Microsoft.Compute/virtualMachines/write',

    'Microsoft.Compute/virtualMachines/delete',

    'Microsoft.Compute/virtualMachines/start/action',

    'Microsoft.Compute/virtualMachines/deallocate/action',

    'Microsoft.Compute/virtualMachines/instanceView/read',

    'Microsoft.Compute/virtualMachines/extensions/read',

    'Microsoft.Compute/virtualMachines/extensions/write',

    "Microsoft.Compute/virtualMachines/convertToManagedDisks/action",

    'Microsoft.Compute/disks/read',

    'Microsoft.Compute/disks/write',

    "Microsoft.Compute/disks/beginGetAccess/action",

    "Microsoft.Compute/disks/delete",

    "Microsoft.Compute/disks/endGetAccess/action"

    'Microsoft.Resources/checkResourceName/action',

    'Microsoft.Resources/subscriptions/resourceGroups/read',

    'Microsoft.Resources/subscriptions/resourceGroups/write',

    'Microsoft.Resources/subscriptions/locations/read')

    $role.Actions = $permissions

    $role.NotActions = (Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor').NotActions

    $subs = '/subscriptions/00000000-0000-0000-0000-000000000000'  #use your subscription ID

    $role.AssignableScopes = $subs

    New-AzureRmRoleDefinition -Role $role

    Note

    Mind the following:

    • You must use Connect-AzureRmAccount and Get-AzureRmSubscription to input the subscription ID within the script.
    • The script is provided for Microsoft Azure PowerShell version 5.1.1 bundled with Veeam Backup & Replication. The naming of commands may vary for other versions of Microsoft Azure PowerShell.
    1. Assign the created role to the required Azure user. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
    2. In the Subscription step of the Microsoft Azure Compute Account wizard, select Use existing account and select the Azure user with the assigned role. For details, see Select Access Type.

    Permissions for Azure Compute Account (New Account)

    If you plan to add an Azure Compute account using an Azure Active Directory (AD) application (select the Create a new account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:

    1. Run one of the following scripts in Azure PowerShell:

    Creating Custom Role for Azure AccountScript for Az PowerShell

    Import-Module Az.Resources

    $role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

    $role.Name = 'Veeam Register Azure Compute Account using new Azure AD application'

    $role.Description = 'Permissions needed to add an Azure Compute Account based on new Azure AD application'

    $role.IsCustom = $true

    $permissions = @(

    'Microsoft.Authorization/roleAssignments/read'

    'Microsoft.Authorization/roleAssignments/write')

    $role.Actions = $permissions

    $role.NotActions = (Get-AzRoleDefinition -Name 'Virtual Machine Contributor').NotActions

    $subs = '/subscriptions/00000000-0000-0000-0000-000000000000'  #use your subscription ID

    $role.AssignableScopes = $subs

    New-AzRoleDefinition -Role $role

    Note

    Mind the following:

    • You must use Connect-AzAccount and Get-AzSubscription to input the subscription ID within the script.
    • The script is provided for Az PowerShell module 6.0.0. The naming of commands may vary for other versions of Az PowerShell module.

    Creating Custom Role for Azure AccountScript for Legacy AzureRM PowerShell

    Import-Module AzureRm.Resources

    $role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

    $role.Name = 'Veeam Register Azure Compute Account using new Azure AD application'

    $role.Description = 'Permissions needed to add an Azure Compute Account based on new Azure AD application'

    $role.IsCustom = $true

    $permissions = @(

    'Microsoft.Authorization/roleAssignments/read'

    'Microsoft.Authorization/roleAssignments/write')

    $role.Actions = $permissions

    $role.NotActions = (Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor').NotActions

    $subs = '/subscriptions/00000000-0000-0000-0000-000000000000'  #use your subscription ID

    $role.AssignableScopes = $subs

    New-AzureRmRoleDefinition -Role $role

    Note

    Mind the following:

    • You must use Connect-AzureRmAccount and Get-AzureRmSubscription to input the subscription ID within the script.
    • The script is provided for Microsoft Azure PowerShell version 5.1.1 bundled with Veeam Backup & Replication. The naming of commands may vary for other versions of Microsoft Azure PowerShell.
    1. Assign the created role to the required Azure user. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
    1. In the Subscription step of the Microsoft Azure Compute Account wizard, select Create a new account and click the Configure account link. In the window, select the Azure user with the assigned role. For details, see Select Access Type.