The accounts used for installing and using Veeam Availability Orchestrator must have the following permissions.
The account used for product installation must be a domain user who has the Local Administrator permissions on the target machine.
VAO Service Accounts
The accounts used to run VAO services, Veeam Backup & Replication services and Veeam ONE services must have the Local Administrator permissions on the VAO server.
The accounts must also be granted the Log on as a service right. For more information on Windows security policy settings, see Microsoft Docs.
VAO Agent Installation Account
The account used to install a VAO agent on a Veeam Backup & Replication server must have the Veeam Backup Administrator permissions on the server.
The account used to connect the vCenter Server to the VAO infrastructure must have the Administrator permissions.
Instead of granting the Administrator permissions to the account, you can configure more granular permissions. For more information, see Veeam Backup & Replication Required Permissions and Veeam ONE Required Permissions.
Microsoft SQL Server
Different sets of Microsoft SQL permissions are required in the following cases:
VAO Step Accounts
The account used to run the Verify SharePoint step, must be assigned the SharePoint_Shell_Access role and must be a member of the WSS_ADMIN_WPG group on the processed VM.
The account used to run the Exchange Credentials step, must be assigned the ApplicationImpersonation role on the processed VM.