Permissions Changelog

This section describes the latest changes in Azure Account permissions required for Veeam Backup for Microsoft Azure to perform operations.

When you update Veeam Backup for Microsoft Azure version 5a to version 6.0, consider that service accounts must be assigned additional permissions:

  • For Veeam Backup for Microsoft Azure to be able to back up and restore Azure virtual network configurations, Azure service accounts must be additionally assigned the following permission:

"Microsoft.Network/ddosProtectionPlans/join/action",

"Microsoft.Network/ddosProtectionPlans/read",

"Microsoft.Network/natGateways/join/action",

"Microsoft.Network/natGateways/read",

"Microsoft.Network/networkSecurityGroups/securityRules/delete",

"Microsoft.Network/networkSecurityGroups/securityRules/read",

"Microsoft.Network/networkSecurityGroups/securityRules/write",

"Microsoft.Network/networkSecurityGroups/write",

"Microsoft.Network/routeTables/read",

"Microsoft.Network/routeTables/routes/delete",

"Microsoft.Network/routeTables/routes/read",

"Microsoft.Network/routeTables/routes/write",

"Microsoft.Network/routeTables/write",

"Microsoft.Network/virtualNetworks/join/action",

"Microsoft.Network/virtualNetworks/peer/action",

"Microsoft.Network/virtualNetworks/subnets/read",

"Microsoft.Network/virtualNetworks/subnets/write",

"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",

"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write"

  • For Veeam Backup for Microsoft Azure to be able to allow worker instances to process resources that reside in private virtual networks, Azure service accounts must be additionally assigned the following permissions:

"Microsoft.Network/privateDnsZones/delete",

"Microsoft.Network/privateDnsZones/join/action",

"Microsoft.Network/privateDnsZones/read",

"Microsoft.Network/privateDnsZones/write",

"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",

"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",

"Microsoft.Network/privateLinkServices/delete",

"Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action",

"Microsoft.Network/privateLinkServices/read",

"Microsoft.Network/privateLinkServices/write",

"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"

  • For Veeam Backup for Microsoft Azure to be able to use Azure Queue Storage as a messaging service, Azure service accounts must be additionally assigned the following permissions:

"Microsoft.Storage/storageAccounts/queueServices/queues/delete",

"Microsoft.Storage/storageAccounts/queueServices/queues/read",

"Microsoft.Storage/storageAccounts/queueServices/queues/write",

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write"