Service Account Permissions

Veeam Backup for Microsoft Azure uses service accounts to perform the following operations:

  • To enumerate resources added to backup policies.
  • To create snapshots and backups of Azure resources protected by policies.
  • To create and manage worker instances.
  • To attach virtual disks to worker instances when performing image-level backup.
  • To restore Azure VMs, virtual disks, and files and folders from cloud-native snapshots and image-level backups.
  • To restore Azure SQL databases from backups.
  • To restore files of Azure file shares from cloud-native snapshots.
  • To create and manage backup repositories, and so on.
  • To create backups of Azure virtual network configurations.
  • To restore backups of Azure virtual network configurations from backups.

To allow backup appliance to perform these operations, service accounts added to Veeam Backup for Microsoft Azure must have either the Contributor and Key Vault Crypto Officer Azure built-in roles, or a custom role that has the permissions to access Azure resources that you want to protect. To learn how to create custom roles, see Microsoft Docs.

The following permissions are required for service accounts that will be used to perform all the listed operations. The dataActions list of permissions is required only if you plan to use service accounts to manage backup repositories, and to encrypt data stored in backup repositories using the Azure Key Vault Service.

{

"permissions": [

       {

       "actions": [

               "Microsoft.Authorization/locks/Read",

               "Microsoft.Authorization/roleAssignments/read",

               "Microsoft.Commerce/RateCard/read",

               "Microsoft.Compute/availabilitySets/read",

               "Microsoft.Compute/availabilitySets/vmSizes/read",

               "Microsoft.Compute/diskAccesses/delete",

               "Microsoft.Compute/diskAccesses/privateEndpointConnections/read",

               "Microsoft.Compute/diskAccesses/privateEndpointConnections/write",

               "Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Compute/diskAccesses/read",

               "Microsoft.Compute/diskAccesses/write",

               "Microsoft.Compute/diskEncryptionSets/read",

               "Microsoft.Compute/disks/beginGetAccess/action",

               "Microsoft.Compute/disks/delete",

               "Microsoft.Compute/disks/endGetAccess/action",

               "Microsoft.Compute/disks/read",

               "Microsoft.Compute/disks/write",

               "Microsoft.Compute/snapshots/beginGetAccess/action",

               "Microsoft.Compute/snapshots/delete",

               "Microsoft.Compute/snapshots/endGetAccess/action",

               "Microsoft.Compute/snapshots/read",

               "Microsoft.Compute/snapshots/write",

               "Microsoft.Compute/virtualMachines/deallocate/action",

               "Microsoft.Compute/virtualMachines/delete",

               "Microsoft.Compute/virtualMachines/extensions/read",

               "Microsoft.Compute/virtualMachines/extensions/write",

               "Microsoft.Compute/virtualMachines/read",

               "Microsoft.Compute/virtualMachines/runCommand/action",

               "Microsoft.Compute/virtualMachines/start/action",

               "Microsoft.Compute/virtualMachines/write",

               "Microsoft.DevTestLab/Schedules/read",

               "Microsoft.DevTestLab/Schedules/write",

               "Microsoft.Insights/eventtypes/values/Read",

               "Microsoft.Insights/MetricDefinitions/Read",

               "Microsoft.Insights/Metrics/Read",

               "Microsoft.KeyVault/vaults/deploy/action",

               "Microsoft.KeyVault/vaults/keys/versions/read",

               "Microsoft.KeyVault/vaults/read",

               "Microsoft.Network/ddosProtectionPlans/join/action",

               "Microsoft.Network/ddosProtectionPlans/read",

               "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

               "Microsoft.Network/loadBalancers/read",

               "Microsoft.Network/natGateways/join/action",

               "Microsoft.Network/natGateways/read",

               "Microsoft.Network/networkInterfaces/delete",

               "Microsoft.Network/networkInterfaces/join/action",

               "Microsoft.Network/networkInterfaces/read",

               "Microsoft.Network/networkInterfaces/write",

               "Microsoft.Network/networkSecurityGroups/join/action",

               "Microsoft.Network/networkSecurityGroups/read",

               "Microsoft.Network/networkSecurityGroups/securityRules/delete",

               "Microsoft.Network/networkSecurityGroups/securityRules/read",

               "Microsoft.Network/networkSecurityGroups/securityRules/write",

               "Microsoft.Network/networkSecurityGroups/write",

               "Microsoft.Network/privateDnsZones/delete",

               "Microsoft.Network/privateDnsZones/join/action",

               "Microsoft.Network/privateDnsZones/read",

               "Microsoft.Network/privateDnsZones/write",

               "Microsoft.Network/privateEndpoints/delete",

               "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",

               "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",

               "Microsoft.Network/privateEndpoints/read",

               "Microsoft.Network/privateEndpoints/write",

               "Microsoft.Network/privateLinkServices/delete",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/delete",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/read",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/write",

               "Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Network/privateLinkServices/read",

               "Microsoft.Network/privateLinkServices/write",

               "Microsoft.Network/publicIPAddresses/delete",

               "Microsoft.Network/publicIPAddresses/join/action",

               "Microsoft.Network/publicIPAddresses/read",

               "Microsoft.Network/publicIPAddresses/write",

               "Microsoft.Network/routeTables/join/action",

               "Microsoft.Network/routeTables/read",

               "Microsoft.Network/routeTables/routes/delete",

               "Microsoft.Network/routeTables/routes/read",

               "Microsoft.Network/routeTables/routes/write",

               "Microsoft.Network/routeTables/write",

               "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",

               "Microsoft.Network/virtualNetworks/delete",

               "Microsoft.Network/virtualNetworks/join/action",

               "Microsoft.Network/virtualNetworks/peer/action",

               "Microsoft.Network/virtualNetworks/read",

               "Microsoft.Network/virtualNetworks/subnets/join/action",

               "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",

               "Microsoft.Network/virtualNetworks/subnets/read",

               "Microsoft.Network/virtualNetworks/subnets/write",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",

               "Microsoft.Network/virtualNetworks/write",

               "Microsoft.Resources/subscriptions/resourceGroups/delete",

               "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",

               "Microsoft.Resources/subscriptions/resourceGroups/read",

               "Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action",

               "Microsoft.Resources/subscriptions/resourceGroups/write",

               "Microsoft.ServiceBus/namespaces/delete",

               "Microsoft.ServiceBus/namespaces/networkrulesets/delete",

               "Microsoft.ServiceBus/namespaces/networkrulesets/read",

               "Microsoft.ServiceBus/namespaces/networkrulesets/write",

               "Microsoft.ServiceBus/namespaces/operationresults/read",

               "Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListKeys/action",

               "Microsoft.ServiceBus/namespaces/queues/authorizationRules/read",

               "Microsoft.ServiceBus/namespaces/queues/authorizationRules/write",

               "Microsoft.ServiceBus/namespaces/queues/delete",

               "Microsoft.ServiceBus/namespaces/queues/read",

               "Microsoft.ServiceBus/namespaces/queues/write",

               "Microsoft.ServiceBus/namespaces/read",

               "Microsoft.ServiceBus/namespaces/write",

               "Microsoft.ServiceBus/register/action",

               "Microsoft.Sql/locations/*",

               "Microsoft.Sql/managedInstances/databases/delete",

               "Microsoft.Sql/managedInstances/databases/read",

               "Microsoft.Sql/managedInstances/databases/write",

               "Microsoft.Sql/managedInstances/encryptionProtector/read",

               "Microsoft.Sql/managedInstances/read",

               "Microsoft.Sql/servers/databases/azureAsyncOperation/read",

               "Microsoft.Sql/servers/databases/delete",

               "Microsoft.Sql/servers/databases/read",

               "Microsoft.Sql/servers/databases/syncGroups/read",

               "Microsoft.Sql/servers/databases/transparentDataEncryption/read",

               "Microsoft.Sql/servers/databases/usages/read",

               "Microsoft.Sql/servers/databases/write",

               "Microsoft.Sql/servers/elasticPools/read",

               "Microsoft.Sql/servers/encryptionProtector/read",

               "Microsoft.Sql/servers/read",

               "Microsoft.Storage/storageAccounts/blobServices/containers/read",

               "Microsoft.Storage/storageAccounts/blobServices/containers/write",

               "Microsoft.Storage/storageAccounts/blobServices/read",

               "Microsoft.Storage/storageAccounts/listKeys/action",

               "Microsoft.Storage/storageAccounts/managementPolicies/write",

               "Microsoft.Storage/storageAccounts/privateEndpointConnections/write",

               "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Storage/storageAccounts/queueServices/queues/delete",

               "Microsoft.Storage/storageAccounts/queueServices/queues/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/write",

               "Microsoft.Storage/storageAccounts/read",

               "Microsoft.Storage/storageAccounts/write"

       ],

       "notActions": [],

       "dataActions": [

               "Microsoft.KeyVault/vaults/keys/decrypt/action",

               "Microsoft.KeyVault/vaults/keys/encrypt/action",

               "Microsoft.KeyVault/vaults/keys/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write"

 

       ],

       "notDataActions": []

       }

   ]

}

 

In This Section