Creating Custom Role for Azure and Azure Stack Hub Accounts

Granular permissions differ depending on whether you create an Azure Stack Hub account, or Azure Compute account using a new Microsoft Entra ID (formerly Azure Active Directory) application, or Azure Compute account using an existing Microsoft Entra ID application.

Note

This section describes permissions required for Veeam Backup & Replication to perform tasks. If you need to perform other tasks, for example create virtual networks, add the required permissions for those tasks manually.

Instead of granular permissions, you can use built-in roles. For more information, see Permissions.

Permissions for Azure Compute Account (Existing Application)

If you plan to add an Azure Compute account using an existing Microsoft Entra ID (formerly Azure Active Directory) application (select the Use the existing account option at the Access Type step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:

  1. In the Azure Portal, go to subscription properties and open Access control (IAM).
  2. Create a custom role from a JSON file as described in Microsoft Docs. Use the following JSON. In the assignableScopes field, specify your subscription ID.

Creating Custom Role for Azure and Azure Stack Hub AccountsJSON — Permissions for Existing Application

{

   "properties": {

       "roleName": "Veeam Restore Operator",

       "description": "Permissions needed for an application for an Azure Compute Account",

       "assignableScopes": [

           "/subscriptions/your_subscription_ID_here"

       ],

       "permissions": [

           {

               "actions": [

                   "Microsoft.Storage/storageAccounts/listkeys/action",

                   "Microsoft.Storage/storageAccounts/read",

                   "Microsoft.Storage/storageAccounts/queueServices/queues/delete",

                   "Microsoft.Storage/storageAccounts/queueServices/queues/read",

                   "Microsoft.Storage/storageAccounts/queueServices/queues/write",

                   "Microsoft.Network/locations/checkDnsNameAvailability/read",

                   "Microsoft.Network/virtualNetworks/read",

                   "Microsoft.Network/virtualNetworks/subnets/join/action",

                   "Microsoft.Network/publicIPAddresses/read",

                   "Microsoft.Network/publicIPAddresses/write",

                   "Microsoft.Network/publicIPAddresses/delete",

                   "Microsoft.Network/publicIPAddresses/join/action",

                   "Microsoft.Network/networkInterfaces/read",

                   "Microsoft.Network/networkInterfaces/write",

                   "Microsoft.Network/networkInterfaces/delete",

                   "Microsoft.Network/networkInterfaces/join/action",

                   "Microsoft.Network/networkSecurityGroups/read",

                   "Microsoft.Network/networkSecurityGroups/write",

                   "Microsoft.Network/networkSecurityGroups/delete",

                   "Microsoft.Network/networkSecurityGroups/join/action",

                   "Microsoft.Compute/locations/vmSizes/read",

                   "Microsoft.Compute/locations/usages/read",

                   "Microsoft.Compute/virtualMachines/read",

                   "Microsoft.Compute/virtualMachines/write",

                   "Microsoft.Compute/virtualMachines/delete",

                   "Microsoft.Compute/virtualMachines/start/action",

                   "Microsoft.Compute/virtualMachines/deallocate/action",

                   "Microsoft.Compute/virtualMachines/instanceView/read",

                   "Microsoft.Compute/virtualMachines/extensions/read",

                   "Microsoft.Compute/virtualMachines/extensions/write",

                   "Microsoft.Compute/virtualMachines/convertToManagedDisks/action",

                   "Microsoft.Compute/disks/read",

                   "Microsoft.Compute/disks/write",

                   "Microsoft.Compute/disks/beginGetAccess/action",

                   "Microsoft.Compute/disks/delete",

                   "Microsoft.Compute/disks/endGetAccess/action",

                   "Microsoft.Resources/checkResourceName/action",

                   "Microsoft.Resources/subscriptions/resourceGroups/read",

                   "Microsoft.Resources/subscriptions/resourceGroups/write",

                   "Microsoft.Resources/subscriptions/locations/read",

                   "Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read",

                   "Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/write"

               ],

               "notActions": [],

               "dataActions": [

                   "Microsoft.KeyVault/vaults/keys/encrypt/action",

                   "Microsoft.KeyVault/vaults/keys/decrypt/action",

                   "Microsoft.KeyVault/vaults/keys/read",

                   "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",

                   "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",

                   "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",

                   "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"

               ],

               "notDataActions": []

           }

       ]

   }

}

  1. Assign the created role to the required Microsoft Entra ID application. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
  2. At the Account Type step of the Microsoft Azure Compute Account wizard, select Use existing account.
  3. At the Subscription step of the wizard, specify the Azure Microsoft Entra ID application with the assigned role.

Permissions for Azure Compute Account (New Application)

If you plan to add an Azure Compute account using a new Microsoft Entra ID (formerly Azure Active Directory) application (select the Create a new account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:

  1. In the Azure Portal, go to subscription properties and open Access control (IAM).
  2. Create a custom role from a JSON file as described in Microsoft Docs. Use the following JSON. In the assignableScopes field, specify your subscription ID.

Creating Custom Role for Azure and Azure Stack Hub AccountsJSON — Permissions for New Application

{

   "properties": {

       "roleName": "Veeam Register Azure Compute Account using new Microsoft Entra ID application",

       "description": "Permissions needed for a user to add an Azure Compute Account based on new Microsoft Entra ID application",

       "assignableScopes": [

           "/subscriptions/00000000-0000-0000-0000-000000000000"

       ],

       "permissions": [

           {

               "actions": [

                   "Microsoft.Authorization/roleDefinitions/read",

                   "Microsoft.Authorization/roleAssignments/read",

                   "Microsoft.Authorization/roleAssignments/write"

               ],

               "notActions": [],

               "dataActions": [],

               "notDataActions": []

           }

       ]

   }

}

  1. Assign the created role to the required Microsoft Entra ID user. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
  2. At the Account Type step of the Microsoft Azure Compute Account wizard, select Create a new account.
  3. At the Subscription step, configure the account as described in section Creating New Microsoft Entra ID Application. On the Microsoft Azure device authentication page, specify an Microsoft Entra ID user account with the assigned role.

Note

The described permissions are required for assigning a role on the subscription level for the registered application. Also, privileges to register applications are required. For more information, see Permissions.

Permissions for Azure Stack Hub Compute Account (Existing Application)

If you plan to add an Azure Stack Hub account using an existing Microsoft Entra ID application (select the Use the existing account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:

  1. In the Azure Stack Hub management portal, go to subscription properties and open Access control (IAM).
  2. Create a custom role from a JSON file as described in Microsoft Docs. Use the following JSON. In the assignableScopes field, specify your subscription ID.

Creating Custom Role for Azure and Azure Stack Hub AccountsJSON — Permissions for Existing Application

{

   "properties": {

       "roleName": "Veeam Restore Operator",

       "description": "Permissions needed for an application for an Azure Compute Account",

       "assignableScopes": [

           "/subscriptions/your_subscription_ID_here"

       ],

       "permissions": [

           {

               "actions": [

                   "Microsoft.Storage/storageAccounts/listkeys/action",

                   "Microsoft.Storage/storageAccounts/read",

                   "Microsoft.Network/locations/checkDnsNameAvailability/read",

                   "Microsoft.Network/virtualNetworks/read",

                   "Microsoft.Network/virtualNetworks/subnets/join/action",

                   "Microsoft.Network/publicIPAddresses/read",

                   "Microsoft.Network/publicIPAddresses/write",

                   "Microsoft.Network/publicIPAddresses/delete",

                   "Microsoft.Network/publicIPAddresses/join/action",

                   "Microsoft.Network/networkInterfaces/read",

                   "Microsoft.Network/networkInterfaces/write",

                   "Microsoft.Network/networkInterfaces/delete",

                   "Microsoft.Network/networkInterfaces/join/action",

                   "Microsoft.Network/networkSecurityGroups/read",

                   "Microsoft.Network/networkSecurityGroups/write",

                   "Microsoft.Network/networkSecurityGroups/delete",

                   "Microsoft.Network/networkSecurityGroups/join/action",

                   "Microsoft.Compute/locations/vmSizes/read",

                   "Microsoft.Compute/locations/usages/read",

                   "Microsoft.Compute/virtualMachines/read",

                   "Microsoft.Compute/virtualMachines/write",

                   "Microsoft.Compute/virtualMachines/delete",

                   "Microsoft.Compute/virtualMachines/start/action",

                   "Microsoft.Compute/virtualMachines/deallocate/action",

                   "Microsoft.Compute/virtualMachines/extensions/read",

                   "Microsoft.Compute/virtualMachines/extensions/write",

                   "Microsoft.Resources/checkResourceName/action",

                   "Microsoft.Resources/subscriptions/resourceGroups/read",

                   "Microsoft.Resources/subscriptions/resourceGroups/write",

                   "Microsoft.Resources/subscriptions/locations/read"

               ],

               "notActions": [],

               "dataActions": [],

               "notDataActions": []

           }

       ]

   }

}

  1. Assign the created role to the required Microsoft Entra ID application. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
  2. At the Account Type step of the Microsoft Azure Compute Account wizard, select Use existing account.
  3. At the Subscription step of the wizard, specify the Microsoft Entra ID application with the assigned role.

Permissions for Azure Stack Hub Compute Account (New Application)

If you plan to add an Azure Stack Hub account using a new Microsoft Entra ID (formerly Azure Active Directory) application (select the Create a new account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:

  1. In the Azure Stack Hub management portal, go to subscription properties and open Access control (IAM).
  2. Create a custom role from a JSON file as described in Microsoft Docs. Use the following JSON. In the assignableScopes field, specify your subscription ID.

Creating Custom Role for Azure and Azure Stack Hub AccountsJSON — Permissions for New Application

{

   "properties": {

       "roleName": "Veeam Register Azure Compute Account using new Microsoft Entra ID application",

       "description": "Permissions needed for a user to add an Azure Compute Account based on new Microsoft Entra ID application",

       "assignableScopes": [

           "/subscriptions/00000000-0000-0000-0000-000000000000"

       ],

       "permissions": [

           {

               "actions": [

                   "Microsoft.Authorization/roleDefinitions/read",

                   "Microsoft.Authorization/roleAssignments/read",

                   "Microsoft.Authorization/roleAssignments/write"

               ],

               "notActions": [],

               "dataActions": [],

               "notDataActions": []

           }

       ]

   }

}

  1. Assign the created role to the required Microsoft Entra ID user. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
  2. At the Account Type step of the Microsoft Azure Compute Account wizard, select Create a new account.
  3. At the Subscription step, configure the account as described in section Creating New Microsoft Entra ID Application. On the Microsoft Azure device authentication page, specify an Microsoft Entra ID user account with the assigned role.

Note

The described permissions are required for assigning a role on the subscription level for the registered application. Also, privileges to register applications are required. For more information, see Permissions.

Page updated 12/21/2023

Page content applies to build 12.1.1.56