Plug-In Permissions

To perform backup and restore operations, accounts that Microsoft Azure Plug-in for Veeam Backup & Replication uses to perform data protection and disaster recovery operations must be granted the following permissions.

Veeam Backup & Replication User Account Permissions

A user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in the Veeam Backup & Replication User Guide, section Installing and Using Veeam Backup & Replication.

If you plan to connect to a Veeam Backup & Replication using Remote Access Console, you must run the console as administrator.

Veeam Backup for Microsoft Azure User Account Permissions

To get access to Veeam Backup for Microsoft Azure functionality, Veeam Backup & Replication uses user accounts of backup appliances.

A user account that will be used by Veeam Backup & Replication to authenticate against the backup appliance and get access to the appliance functionality must be assigned the Portal Administrator role. For more information on user roles, see Managing Permissions.

Note

If you deploy a backup appliance from the Veeam Backup & Replication console, Veeam Backup & Replication will automatically create the necessary user account that will be assigned all the required permissions.

Service Account Permissions

Microsoft Azure Plug-in for Veeam Backup & Replication requires a Microsoft Azure compute account (service account) whose permissions are used to create, connect and manage backup appliances, and to perform data protection and disaster recovery operations with Microsoft Azure resources.

You can specify an existing account or instruct Veeam Backup & Replication to create a new account:

  • If you specify an existing account, Veeam Backup & Replication connects to an existing Azure AD application that must be assigned the following set of permissions:

Plug-In PermissionsFull list of permissions

{

"permissions": [

       {

       "actions": [

               "Microsoft.Authorization/locks/Read",

               "Microsoft.Authorization/roleAssignments/read",

               "Microsoft.Commerce/RateCard/read",

               "Microsoft.Compute/availabilitySets/read",

               "Microsoft.Compute/availabilitySets/vmSizes/read",

               "Microsoft.Compute/diskAccesses/delete",

               "Microsoft.Compute/diskAccesses/privateEndpointConnections/read",

               "Microsoft.Compute/diskAccesses/privateEndpointConnections/write",

               "Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Compute/diskAccesses/read",

               "Microsoft.Compute/diskAccesses/write",

               "Microsoft.Compute/diskEncryptionSets/read",

               "Microsoft.Compute/disks/beginGetAccess/action",

               "Microsoft.Compute/disks/delete",

               "Microsoft.Compute/disks/endGetAccess/action",

               "Microsoft.Compute/disks/read",

               "Microsoft.Compute/disks/write",

               "Microsoft.Compute/snapshots/beginGetAccess/action",

               "Microsoft.Compute/snapshots/delete",

               "Microsoft.Compute/snapshots/endGetAccess/action",

               "Microsoft.Compute/snapshots/read",

               "Microsoft.Compute/snapshots/write",

               "Microsoft.Compute/sshPublicKeys/read",

               "Microsoft.Compute/sshPublicKeys/write",

               "Microsoft.Compute/sshPublicKeys/generateKeyPair/action",

               "Microsoft.Compute/virtualMachines/deallocate/action",

               "Microsoft.Compute/virtualMachines/delete",

               "Microsoft.Compute/virtualMachines/extensions/read",

               "Microsoft.Compute/virtualMachines/extensions/write",

               "Microsoft.Compute/virtualMachines/read",

               "Microsoft.Compute/virtualMachines/runCommand/action",

               "Microsoft.Compute/virtualMachines/start/action",

               "Microsoft.Compute/virtualMachines/write",

               "Microsoft.DevTestLab/Schedules/write",

               "Microsoft.DevTestLab/Schedules/read",

               "Microsoft.Insights/eventtypes/values/Read",

               "Microsoft.Insights/MetricDefinitions/Read",

               "Microsoft.Insights/Metrics/Read",

               "Microsoft.KeyVault/vaults/deploy/action",

               "Microsoft.KeyVault/vaults/keys/versions/read",

               "Microsoft.KeyVault/vaults/read",

               "Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read",

               "Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/write",

               "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/read",

               "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/write",

               "Microsoft.Network/ddosProtectionPlans/join/action",

               "Microsoft.Network/ddosProtectionPlans/read",

               "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

               "Microsoft.Network/loadBalancers/read",

               "Microsoft.Network/natGateways/join/action",

               "Microsoft.Network/natGateways/read",

               "Microsoft.Network/networkInterfaces/delete",

               "Microsoft.Network/networkInterfaces/join/action",

               "Microsoft.Network/networkInterfaces/read",

               "Microsoft.Network/networkInterfaces/write",

               "Microsoft.Network/networkSecurityGroups/delete",

               "Microsoft.Network/networkSecurityGroups/join/action",

               "Microsoft.Network/networkSecurityGroups/read",

               "Microsoft.Network/networkSecurityGroups/securityRules/delete",

               "Microsoft.Network/networkSecurityGroups/securityRules/read",

               "Microsoft.Network/networkSecurityGroups/securityRules/write",

               "Microsoft.Network/networkSecurityGroups/write",

               "Microsoft.Network/privateDnsZones/delete",

               "Microsoft.Network/privateDnsZones/join/action",

               "Microsoft.Network/privateDnsZones/read",

               "Microsoft.Network/privateDnsZones/write",

               "Microsoft.Network/privateEndpoints/delete",

               "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",

               "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",

               "Microsoft.Network/privateEndpoints/read",

               "Microsoft.Network/privateEndpoints/write",

               "Microsoft.Network/privateLinkServices/delete",

               "Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/read",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/write",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/delete",

               "Microsoft.Network/privateLinkServices/read",

               "Microsoft.Network/privateLinkServices/write",

               "Microsoft.Network/publicIPAddresses/delete",

               "Microsoft.Network/publicIPAddresses/join/action",

               "Microsoft.Network/publicIPAddresses/read",

               "Microsoft.Network/publicIPAddresses/write",

               "Microsoft.Network/routeTables/join/action",

               "Microsoft.Network/routeTables/read",

               "Microsoft.Network/routeTables/routes/delete",

               "Microsoft.Network/routeTables/routes/read",

               "Microsoft.Network/routeTables/routes/write",

               "Microsoft.Network/routeTables/write",

               "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",

               "Microsoft.Network/virtualNetworks/delete",

               "Microsoft.Network/virtualNetworks/join/action",

               "Microsoft.Network/virtualNetworks/peer/action",

               "Microsoft.Network/virtualNetworks/read",

               "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",

               "Microsoft.Network/virtualNetworks/subnets/join/action",

               "Microsoft.Network/virtualNetworks/subnets/read",

               "Microsoft.Network/virtualNetworks/subnets/write",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",

               "Microsoft.Network/virtualNetworks/write",

               "Microsoft.Resources/subscriptions/resourceGroups/delete",

               "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",

               "Microsoft.Resources/subscriptions/resourceGroups/read",

               "Microsoft.Resources/subscriptions/resourceGroups/write",

               "Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action",

               "Microsoft.ServiceBus/namespaces/delete",

               "Microsoft.ServiceBus/namespaces/networkrulesets/delete",

               "Microsoft.ServiceBus/namespaces/networkrulesets/read",

               "Microsoft.ServiceBus/namespaces/networkrulesets/write",

               "Microsoft.ServiceBus/namespaces/operationresults/read",

               "Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListKeys/action",

               "Microsoft.ServiceBus/namespaces/queues/authorizationRules/read",

               "Microsoft.ServiceBus/namespaces/queues/authorizationRules/write",

               "Microsoft.ServiceBus/namespaces/queues/delete",

               "Microsoft.ServiceBus/namespaces/queues/read",

               "Microsoft.ServiceBus/namespaces/queues/write",

               "Microsoft.ServiceBus/namespaces/read",

               "Microsoft.ServiceBus/namespaces/write",

               "Microsoft.ServiceBus/register/action",

               "Microsoft.Sql/locations/*",

               "Microsoft.Sql/managedInstances/databases/delete",

               "Microsoft.Sql/managedInstances/databases/read",

               "Microsoft.Sql/managedInstances/databases/write",

               "Microsoft.Sql/managedInstances/encryptionProtector/read",

               "Microsoft.Sql/managedInstances/read",

               "Microsoft.Sql/servers/databases/azureAsyncOperation/read",

               "Microsoft.Sql/servers/databases/delete",

               "Microsoft.Sql/servers/databases/read",

               "Microsoft.Sql/servers/databases/syncGroups/read",

               "Microsoft.Sql/servers/databases/transparentDataEncryption/read",

               "Microsoft.Sql/servers/databases/usages/read",

               "Microsoft.Sql/servers/databases/write",

               "Microsoft.Sql/servers/elasticPools/read",

               "Microsoft.Sql/servers/encryptionProtector/read",

               "Microsoft.Sql/servers/read",

               "Microsoft.Storage/storageAccounts/blobServices/containers/read",

               "Microsoft.Storage/storageAccounts/blobServices/containers/write",

               "Microsoft.Storage/storageAccounts/blobServices/read",

               "Microsoft.Storage/storageAccounts/listKeys/action",

               "Microsoft.Storage/storageAccounts/managementPolicies/write",

               "Microsoft.Storage/storageAccounts/privateEndpointConnections/write",

               "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Storage/storageAccounts/queueServices/queues/delete",

               "Microsoft.Storage/storageAccounts/queueServices/queues/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/write",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",

               "Microsoft.Storage/storageAccounts/read",

               "Microsoft.Storage/storageAccounts/write"

       ],

       "notActions": [],

       "dataActions": [

               "Microsoft.KeyVault/vaults/keys/encrypt/action",

               "Microsoft.KeyVault/vaults/keys/decrypt/action",

               "Microsoft.KeyVault/vaults/keys/read"

 

       ],

       "notDataActions": []

       }

   ]

}

 

Plug-In PermissionsList of permissions to upgrade backup appliance to version 6.0

{

"permissions": [

       {

       "actions": [

               "Microsoft.Authorization/roleAssignments/read",

               "Microsoft.Compute/diskEncryptionSets/read",

               "Microsoft.Compute/disks/beginGetAccess/action",

               "Microsoft.Compute/disks/delete",

               "Microsoft.Compute/disks/endGetAccess/action",

               "Microsoft.Compute/disks/read",

               "Microsoft.Compute/disks/write",

               "Microsoft.Compute/snapshots/delete",

               "Microsoft.Compute/snapshots/read",

               "Microsoft.Compute/snapshots/write",

               "Microsoft.Compute/virtualMachines/deallocate/action",

               "Microsoft.Compute/virtualMachines/delete",

               "Microsoft.Compute/virtualMachines/extensions/read",

               "Microsoft.Compute/virtualMachines/extensions/write",

               "Microsoft.Compute/virtualMachines/read",

               "Microsoft.Compute/virtualMachines/runCommand/action",

               "Microsoft.Compute/virtualMachines/start/action",

               "Microsoft.Compute/virtualMachines/write",

               "Microsoft.Network/networkInterfaces/delete",

               "Microsoft.Network/networkInterfaces/join/action",

               "Microsoft.Network/networkInterfaces/read",

               "Microsoft.Network/networkInterfaces/write",

               "Microsoft.Network/networkSecurityGroups/join/action",

               "Microsoft.Network/networkSecurityGroups/read",

               "Microsoft.Network/networkSecurityGroups/write",

               "Microsoft.Network/publicIPAddresses/join/action",

               "Microsoft.Network/publicIPAddresses/read",

               "Microsoft.Network/publicIPAddresses/write",

               "Microsoft.Network/virtualNetworks/read",

               "Microsoft.Network/virtualNetworks/subnets/join/action",

               "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/read",

               "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/write",

               "Microsoft.Resources/subscriptions/resourceGroups/read"

 

       ],

       "notDataActions": []

       }

   ]

}

 

Note

Azure AD applications have been recently renamed to Microsoft Entra applications in Microsoft Docs. However, these applications are still referred to as Azure AD applications both in this guide and the Veeam Backup for Microsoft Azure Web UI, and are subject to change in a future release.

Azure SQL Account

An Azure SQL account that you plan to use to restore Microsoft Azure databases must be assigned full administrative permissions on Azure SQL servers and Azure SQL Managed Instances to which you restore databases.

Virtualization Servers and Hosts Service Account Permissions

If you plan to copy backups to on-premises repositories, to perform restore to VMware vSphere and Microsoft Hyper-V environments, or to perform other tasks related to virtualization servers and hosts, you must check whether the service account specified for these servers and hosts has the required permissions described in the Veeam Backup & Replication User Guide for VMware vSphere and Veeam Backup & Replication User Guide for Microsoft Hyper-V, section Using Virtualization Servers and Hosts.

Google Cloud Service Account Permissions

A service account that you plan to use to restore Azure VMs to Google Cloud must have permissions described in the Veeam Backup & Replication User Guide, section Google Compute Engine IAM User Permissions.

AWS IAM User Permissions

An IAM user whose one-time access keys you plan to use to restore Azure VMs to AWS must have permissions described in the Veeam Backup & Replication User Guide, section AWS IAM User Permissions.