Permissions Changelog
This section describes the latest changes in service account permissions required for Veeam Backup for Microsoft Azure to perform operations.
When you update Veeam Backup for Microsoft Azure version 6.0 to version 7.0, consider that service accounts must be assigned additional permissions:
- For Veeam Backup for Microsoft Azure to be able to back up and restore Cosmos DB accounts, service accounts must be additionally assigned the following permissions:
"Microsoft.Authorization/roleAssignments/read", "microsoft.dbforpostgresql/servergroupsv2/*/read", "microsoft.dbforpostgresql/servergroupsv2/*/write", "Microsoft.DocumentDB/databaseAccounts/delete", "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/read", "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/write", "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/read", "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/write", "Microsoft.DocumentDB/databaseAccounts/metrics/read", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write", "Microsoft.DocumentDB/databaseAccounts/read", "Microsoft.DocumentDB/databaseAccounts/restore/action", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write", "Microsoft.DocumentDB/databaseAccounts/tables/read", "Microsoft.DocumentDB/databaseAccounts/tables/write", "Microsoft.DocumentDB/databaseAccounts/write", "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read", "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read", "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action", "Microsoft.Insights/eventtypes/values/Read", "Microsoft.Insights/Metrics/Read", "Microsoft.Resources/subscriptions/resourceGroups/read" |
- For Veeam Backup for Microsoft Azure to be able to allow worker instances to perform backup and restore operations, service accounts must be additionally assigned the following permissions:
"Microsoft.Compute/snapshots/beginGetAccess/action", "Microsoft.Compute/snapshots/endGetAccess/action", "Microsoft.Compute/snapshots/read", "Microsoft.Compute/snapshots/write", "Microsoft.Compute/virtualMachines/extensions/delete", "Microsoft.Compute/virtualMachines/runCommand/action", "Microsoft.Network/networkSecurityGroups/write", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Search/searchServices/sharedPrivateLinkResources/operationStatuses/read", "Microsoft.Search/searchServices/sharedPrivateLinkResources/read", "Microsoft.Search/searchServices/sharedPrivateLinkResources/write" |
- For Veeam Backup for Microsoft Azure to be able to back up and restore Azure SQL databases, service accounts must be additionally assigned the following permissions:
"Microsoft.Sql/locations/*", "Microsoft.Sql/managedInstances/databases/delete", "Microsoft.Sql/managedInstances/databases/write", "Microsoft.Sql/managedInstances/read", "Microsoft.Sql/servers/elasticPools/read" |
- For Veeam Backup for Microsoft Azure to be able to restore virtual network configurations, service accounts must be additionally assigned the following permission:
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete" |
- Due to the deprecation of the Service Bus messaging service, the following permissions were removed from the list of permissions required for service accounts:
"Microsoft.ServiceBus/namespaces/delete", "Microsoft.ServiceBus/namespaces/networkrulesets/delete", "Microsoft.ServiceBus/namespaces/networkrulesets/read", "Microsoft.ServiceBus/namespaces/networkrulesets/write", "Microsoft.ServiceBus/namespaces/operationresults/read", "Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListKeys/action", "Microsoft.ServiceBus/namespaces/queues/authorizationRules/read", "Microsoft.ServiceBus/namespaces/queues/authorizationRules/write", "Microsoft.ServiceBus/namespaces/queues/delete", "Microsoft.ServiceBus/namespaces/queues/read", "Microsoft.ServiceBus/namespaces/queues/write", "Microsoft.ServiceBus/namespaces/read", "Microsoft.ServiceBus/namespaces/write", "Microsoft.ServiceBus/register/action" |