Creating Custom Role for Azure and Azure Stack Hub Accounts

Granular permissions differ depending on whether you create an Azure Stack Hub account, or Azure Compute account using a new AD application, or Azure Compute account using an existing AD application.

Permissions for Azure Compute Account (Existing Application)

If you plan to add an Azure Compute account using an existing Azure AD application (select the Use the existing account option at the Access Type step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:

  1. Run one of the following scripts in Azure PowerShell:

Creating Custom Role for Azure and Azure Stack Hub AccountsScript for Az PowerShell

Import-Module Az.Resources

$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

$role.Name = 'Veeam Restore Operator'

$role.Description = 'Permissions for Veeam Restore to Microsoft Azure'

$role.IsCustom = $true

$permissionsActions = @(

'Microsoft.Storage/storageAccounts/listkeys/action',

'Microsoft.Storage/storageAccounts/read',

'Microsoft.Network/locations/checkDnsNameAvailability/read',

'Microsoft.Network/virtualNetworks/read',

'Microsoft.Network/virtualNetworks/subnets/join/action',

'Microsoft.Network/publicIPAddresses/read',

'Microsoft.Network/publicIPAddresses/write',

'Microsoft.Network/publicIPAddresses/delete',

'Microsoft.Network/publicIPAddresses/join/action',

'Microsoft.Network/networkInterfaces/read',

'Microsoft.Network/networkInterfaces/write',

'Microsoft.Network/networkInterfaces/delete',

'Microsoft.Network/networkInterfaces/join/action',

'Microsoft.Network/networkSecurityGroups/read',

'Microsoft.Network/networkSecurityGroups/write',

'Microsoft.Network/networkSecurityGroups/delete',

'Microsoft.Network/networkSecurityGroups/join/action',

'Microsoft.Compute/locations/vmSizes/read',

'Microsoft.Compute/locations/usages/read',

'Microsoft.Compute/virtualMachines/read',

'Microsoft.Compute/virtualMachines/write',

'Microsoft.Compute/virtualMachines/delete',

'Microsoft.Compute/virtualMachines/start/action',

'Microsoft.Compute/virtualMachines/deallocate/action',

'Microsoft.Compute/virtualMachines/instanceView/read',

'Microsoft.Compute/virtualMachines/extensions/read',

'Microsoft.Compute/virtualMachines/extensions/write',

'Microsoft.Compute/virtualMachines/convertToManagedDisks/action',

'Microsoft.Compute/disks/read',

'Microsoft.Compute/disks/write',

'Microsoft.Compute/disks/beginGetAccess/action',

'Microsoft.Compute/disks/delete',

'Microsoft.Compute/disks/endGetAccess/action'

'Microsoft.Resources/checkResourceName/action',

'Microsoft.Resources/subscriptions/resourceGroups/read',

'Microsoft.Resources/subscriptions/resourceGroups/write',

'Microsoft.Resources/subscriptions/locations/read',

'Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read',

'Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/write'

)

$permissionsDataActions = @(

'Microsoft.KeyVault/vaults/keys/encrypt/action',

'Microsoft.KeyVault/vaults/keys/decrypt/action',

'Microsoft.KeyVault/vaults/keys/read'

)

$role.Actions = $permissionsActions

$role.DataActions = $permissionsDataActions

$subs = '/subscriptions/00000000-0000-0000-0000-000000000000'  #use your subscription ID

$role.AssignableScopes = $subs

New-AzRoleDefinition -Role $role

Note

Consider the following:

  • You must use Connect-AzAccount and Get-AzSubscription to input the subscription ID within the script.
  • The script is provided for Az PowerShell module 6.0.0. The naming of commands may vary for other versions of Az PowerShell module.

Creating Custom Role for Azure and Azure Stack Hub AccountsScript for Legacy AzureRM PowerShell

Import-Module AzureRm.Resources

$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

$role.Name = 'Veeam Restore Operator'

$role.Description = 'Permissions for Veeam Restore to Microsoft Azure'

$role.IsCustom = $true

$permissionsActions = @(

'Microsoft.Storage/storageAccounts/listkeys/action',

'Microsoft.Storage/storageAccounts/read',

'Microsoft.Network/locations/checkDnsNameAvailability/read',

'Microsoft.Network/virtualNetworks/read',

'Microsoft.Network/virtualNetworks/subnets/join/action',

'Microsoft.Network/publicIPAddresses/read',

'Microsoft.Network/publicIPAddresses/write',

'Microsoft.Network/publicIPAddresses/delete',

'Microsoft.Network/publicIPAddresses/join/action',

'Microsoft.Network/networkInterfaces/read',

'Microsoft.Network/networkInterfaces/write',

'Microsoft.Network/networkInterfaces/delete',

'Microsoft.Network/networkInterfaces/join/action',

'Microsoft.Network/networkSecurityGroups/read',

'Microsoft.Network/networkSecurityGroups/write',

'Microsoft.Network/networkSecurityGroups/delete',

'Microsoft.Network/networkSecurityGroups/join/action',

'Microsoft.Compute/locations/vmSizes/read',

'Microsoft.Compute/locations/usages/read',

'Microsoft.Compute/virtualMachines/read',

'Microsoft.Compute/virtualMachines/write',

'Microsoft.Compute/virtualMachines/delete',

'Microsoft.Compute/virtualMachines/start/action',

'Microsoft.Compute/virtualMachines/deallocate/action',

'Microsoft.Compute/virtualMachines/instanceView/read',

'Microsoft.Compute/virtualMachines/extensions/read',

'Microsoft.Compute/virtualMachines/extensions/write',

'Microsoft.Compute/virtualMachines/convertToManagedDisks/action',

'Microsoft.Compute/disks/read',

'Microsoft.Compute/disks/write',

'Microsoft.Compute/disks/beginGetAccess/action',

'Microsoft.Compute/disks/delete',

'Microsoft.Compute/disks/endGetAccess/action'

'Microsoft.Resources/checkResourceName/action',

'Microsoft.Resources/subscriptions/resourceGroups/read',

'Microsoft.Resources/subscriptions/resourceGroups/write',

'Microsoft.Resources/subscriptions/locations/read',

'Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read',

'Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/write'

)

$permissionsDataActions = @(

'Microsoft.KeyVault/vaults/keys/encrypt/action',

'Microsoft.KeyVault/vaults/keys/decrypt/action',

'Microsoft.KeyVault/vaults/keys/read'

)

$role.Actions = $permissionsActions

$role.DataActions = $permissionsDataActions

$subs = '/subscriptions/00000000-0000-0000-0000-000000000000'  #use your subscription ID

$role.AssignableScopes = $subs

New-AzureRmRoleDefinition -Role $role

Note

Consider the following:

  • You must use Connect-AzureRmAccount and Get-AzureRmSubscription to input the subscription ID within the script.
  • The script is provided for Microsoft Azure PowerShell version 5.1.1 bundled with Veeam Backup & Replication. The naming of commands may vary for other versions of Microsoft Azure PowerShell.
  1. Assign the created role to the required application. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
  2. At the Access Type step of the Microsoft Azure Compute Account wizard, select Use existing account.
  3. At the Subscription step, specify Azure AD application with the assigned role.

Permissions for Azure Compute Account (New Application)

If you plan to add an Azure Compute account using a new Azure Active Directory (AD) application (select the Create a new account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:

  1. Run one of the following scripts in Azure PowerShell:

Creating Custom Role for Azure and Azure Stack Hub AccountsScript for Az PowerShell

Import-Module Az.Resources

$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

$role.Name = 'Veeam Register Azure Compute Account using new Azure AD application'

$role.Description = 'Permissions needed to add an Azure Compute Account based on new Azure AD application'

$role.IsCustom = $true

$permissions = @(

'Microsoft.Authorization/roleAssignments/read'

'Microsoft.Authorization/roleAssignments/write')

$role.Actions = $permissions

$subs = '/subscriptions/00000000-0000-0000-0000-000000000000'  #use your subscription ID

$role.AssignableScopes = $subs

New-AzRoleDefinition -Role $role

Note

Consider the following:

  • You must use Connect-AzAccount and Get-AzSubscription to input the subscription ID within the script.
  • The script is provided for Az PowerShell module 6.0.0. The naming of commands may vary for other versions of Az PowerShell module.

Creating Custom Role for Azure and Azure Stack Hub AccountsScript for Legacy AzureRM PowerShell

Import-Module AzureRm.Resources

$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()

$role.Name = 'Veeam Register Azure Compute Account using new Azure AD application'

$role.Description = 'Permissions needed to add an Azure Compute Account based on new Azure AD application'

$role.IsCustom = $true

$permissions = @(

'Microsoft.Authorization/roleAssignments/read'

'Microsoft.Authorization/roleAssignments/write')

$role.Actions = $permissions

$subs = '/subscriptions/00000000-0000-0000-0000-000000000000'  #use your subscription ID

$role.AssignableScopes = $subs

New-AzureRmRoleDefinition -Role $role

Note

Consider the following:

  • You must use Connect-AzureRmAccount and Get-AzureRmSubscription to input the subscription ID within the script.
  • The script is provided for Microsoft Azure PowerShell version 5.1.1 bundled with Veeam Backup & Replication. The naming of commands may vary for other versions of Microsoft Azure PowerShell.
  1. Assign the created role to the required Azure user. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
  2. At the Access Type step of the Microsoft Azure Compute Account wizard, select Create a new account.
  3. At the Subscription step, configure the account as described in section Creating New Azure AD Application. On the Microsoft Azure device authentication page, specify an Azure AD user account with the assigned role.

Permissions for Azure Stack Hub Compute Account (Existing Application)

If you plan to add an Azure Stack Hub account using an existing AD application (select the Use the existing account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:

  1. In the Azure Stack Hub management portal, go to subscription properties and open Access control (IAM).
  2. Create a custom role from a JSON file as described in Microsoft Docs. Use the following JSON. In the assignableScopes field, specify your subscription ID.

Creating Custom Role for Azure and Azure Stack Hub AccountsJSON — Permissions for Existing Application

{

   "properties": {

       "roleName": "Veeam Restore Operator",

       "description": "Permissions needed for an application for an Azure Compute Account",

       "assignableScopes": [

           "/subscriptions/your_subscription_ID_here"

       ],

       "permissions": [

           {

               "actions": [

                   "Microsoft.Storage/storageAccounts/listkeys/action",

                   "Microsoft.Storage/storageAccounts/read",

                   "Microsoft.Network/locations/checkDnsNameAvailability/read",

                   "Microsoft.Network/virtualNetworks/read",

                   "Microsoft.Network/virtualNetworks/subnets/join/action",

                   "Microsoft.Network/publicIPAddresses/read",

                   "Microsoft.Network/publicIPAddresses/write",

                   "Microsoft.Network/publicIPAddresses/delete",

                   "Microsoft.Network/publicIPAddresses/join/action",

                   "Microsoft.Network/networkInterfaces/read",

                   "Microsoft.Network/networkInterfaces/write",

                   "Microsoft.Network/networkInterfaces/delete",

                   "Microsoft.Network/networkInterfaces/join/action",

                   "Microsoft.Network/networkSecurityGroups/read",

                   "Microsoft.Network/networkSecurityGroups/write",

                   "Microsoft.Network/networkSecurityGroups/delete",

                   "Microsoft.Network/networkSecurityGroups/join/action",

                   "Microsoft.Compute/locations/vmSizes/read",

                   "Microsoft.Compute/locations/usages/read",

                   "Microsoft.Compute/virtualMachines/read",

                   "Microsoft.Compute/virtualMachines/write",

                   "Microsoft.Compute/virtualMachines/delete",

                   "Microsoft.Compute/virtualMachines/start/action",

                   "Microsoft.Compute/virtualMachines/deallocate/action",

                   "Microsoft.Compute/virtualMachines/extensions/read",

                   "Microsoft.Compute/virtualMachines/extensions/write",

                   "Microsoft.Resources/checkResourceName/action",

                   "Microsoft.Resources/subscriptions/resourceGroups/read",

                   "Microsoft.Resources/subscriptions/resourceGroups/write",

                   "Microsoft.Resources/subscriptions/locations/read"

               ],

               "notActions": [],

               "dataActions": [],

               "notDataActions": []

           }

       ]

   }

}

  1. Assign the created role to the required Azure AD application. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
  2. At the Account Type step of the Microsoft Azure Compute Account wizard, select Use existing account.
  3. At the Subscription step of the wizard, specify the Azure AD application with the assigned role.

Permissions for Azure Stack Hub Compute Account (New Application)

If you plan to add an Azure Stack Hub account using a new Azure Active Directory (AD) application (select the Create a new account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:

  1. In the Azure Stack Hub management portal, go to subscription properties and open Access control (IAM).
  2. Create a custom role from a JSON file as described in Microsoft Docs. Use the following JSON. In the assignableScopes field, specify your subscription ID.

Creating Custom Role for Azure and Azure Stack Hub AccountsJSON — Permissions for New Application

{

   "properties": {

       "roleName": "Veeam Register Azure Compute Account using new Azure AD application",

       "description": "Permissions needed for a user to add an Azure Compute Account based on new Azure AD application",

       "assignableScopes": [

           "/subscriptions/00000000-0000-0000-0000-000000000000"

       ],

       "permissions": [

           {

               "actions": [

                   "Microsoft.Authorization/roleAssignments/read",

                   "Microsoft.Authorization/roleAssignments/write"

               ],

               "notActions": [],

               "dataActions": [],

               "notDataActions": []

           }

       ]

   }

}

  1. Assign the created role to the required Azure AD user. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
  2. At the Account Type step of the Microsoft Azure Compute Account wizard, select Create a new account.
  1. At the Subscription step, configure the account as described in section Creating New Azure AD Application. On the Microsoft Azure device authentication page, specify an Azure AD user account with the assigned role.