Veeam Backup for Microsoft Azure 8
User Guide
Archive
Version 7.0 Version 6.0
Related documents
Search

Service Account Permissions

Veeam Backup for Microsoft Azure uses service accounts to perform the following operations:

  • To enumerate resources added to backup policies.
  • To create snapshots and backups of Azure resources protected by policies.
  • To create and manage worker instances.
  • To create and manage backup repositories.
  • To restore Azure VMs, virtual disks, and files and folders from cloud-native snapshots and image-level backups.
  • To restore Azure SQL databases and Cosmos DB accounts from backups.
  • To restore files of Azure file shares from cloud-native snapshots.
  • To create backups of Azure virtual network configurations.
  • To restore backups of Azure virtual network configurations from backups.

To allow your backup appliance to perform these operations, service accounts that will be used to access Azure resources must be added to Veeam Backup for Microsoft Azure as described in section Adding Service Accounts. You can add the service accounts either automatically or using existing Microsoft Entra applications:

  • If you choose to add an account automatically, you will not have to take any additional configuration steps since Veeam Backup for Microsoft Azure will grant all the required permissions to this account automatically.
  • If you choose to add an account using an existing Microsoft Entra application, you will have to make sure the application has the following permissions granted:

 

{

"permissions": [

       {

       "actions": [

               "Microsoft.Authorization/locks/delete",

               "Microsoft.Authorization/locks/Read",

               "Microsoft.Authorization/locks/write",

               "Microsoft.Authorization/roleAssignments/read",

               "Microsoft.Commerce/RateCard/read",

               "Microsoft.Compute/availabilitySets/read",

               "Microsoft.Compute/availabilitySets/vmSizes/read",

               "Microsoft.Compute/diskAccesses/delete",

               "Microsoft.Compute/diskAccesses/privateEndpointConnections/read",

               "Microsoft.Compute/diskAccesses/privateEndpointConnections/write",

               "Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Compute/diskAccesses/read",

               "Microsoft.Compute/diskAccesses/write",

               "Microsoft.Compute/diskEncryptionSets/read",

               "Microsoft.Compute/disks/beginGetAccess/action",

               "Microsoft.Compute/disks/delete",

               "Microsoft.Compute/disks/endGetAccess/action",

               "Microsoft.Compute/disks/read",

               "Microsoft.Compute/disks/write",

               "Microsoft.Compute/snapshots/beginGetAccess/action",

               "Microsoft.Compute/snapshots/delete",

               "Microsoft.Compute/snapshots/endGetAccess/action",

               "Microsoft.Compute/snapshots/read",

               "Microsoft.Compute/snapshots/write",

               "Microsoft.Compute/virtualMachines/deallocate/action",

               "Microsoft.Compute/virtualMachines/delete",

               "Microsoft.Compute/virtualMachines/extensions/delete",

               "Microsoft.Compute/virtualMachines/extensions/read",

               "Microsoft.Compute/virtualMachines/extensions/write",

               "Microsoft.Compute/virtualMachines/read",

               "Microsoft.Compute/virtualMachines/runCommand/action",

               "Microsoft.Compute/virtualMachines/start/action",

               "Microsoft.Compute/virtualMachines/write",

               "microsoft.dbforpostgresql/servergroupsv2/*/read",

               "microsoft.dbforpostgresql/servergroupsv2/*/write",

               "Microsoft.DevTestLab/Schedules/read",

               "Microsoft.DevTestLab/Schedules/write",

               "Microsoft.DocumentDB/databaseAccounts/delete",

               "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/read",

               "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/write",

               "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/read",

               "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/write",

               "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action",

               "Microsoft.DocumentDB/databaseAccounts/metrics/read",

               "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read",

               "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/read",

               "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write",

               "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read",

               "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/read",

               "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write",

               "Microsoft.DocumentDB/databaseAccounts/read",

               "Microsoft.DocumentDB/databaseAccounts/restore/action",

               "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read",

               "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read",

               "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write",

               "Microsoft.DocumentDB/databaseAccounts/tables/read",

               "Microsoft.DocumentDB/databaseAccounts/tables/write",

               "Microsoft.DocumentDB/databaseAccounts/write",

               "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",

               "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read",

               "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",

               "Microsoft.Insights/eventtypes/values/Read",

               "Microsoft.Insights/MetricDefinitions/Read",

               "Microsoft.Insights/Metrics/Read",

               "Microsoft.KeyVault/vaults/deploy/action",

               "Microsoft.KeyVault/vaults/keys/versions/read",

               "Microsoft.KeyVault/vaults/read",

               "Microsoft.Network/ddosProtectionPlans/join/action",

               "Microsoft.Network/ddosProtectionPlans/read",

               "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

               "Microsoft.Network/loadBalancers/read",

               "Microsoft.Network/natGateways/join/action",

               "Microsoft.Network/natGateways/read",

               "Microsoft.Network/networkInterfaces/delete",

               "Microsoft.Network/networkInterfaces/join/action",

               "Microsoft.Network/networkInterfaces/read",

               "Microsoft.Network/networkInterfaces/write",

               "Microsoft.Network/networkSecurityGroups/join/action",

               "Microsoft.Network/networkSecurityGroups/read",

               "Microsoft.Network/networkSecurityGroups/securityRules/delete",

               "Microsoft.Network/networkSecurityGroups/securityRules/read",

               "Microsoft.Network/networkSecurityGroups/securityRules/write",

               "Microsoft.Network/networkSecurityGroups/write",

               "Microsoft.Network/privateDnsZones/A/write",

               "Microsoft.Network/privateDnsZones/delete",

               "Microsoft.Network/privateDnsZones/join/action",

               "Microsoft.Network/privateDnsZones/read",

               "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",

               "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",

               "Microsoft.Network/privateDnsZones/write",

               "Microsoft.Network/privateEndpoints/delete",

               "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",

               "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",

               "Microsoft.Network/privateEndpoints/read",

               "Microsoft.Network/privateEndpoints/write",

               "Microsoft.Network/privateLinkServices/delete",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/delete",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/read",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/write",

               "Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Network/privateLinkServices/read",

               "Microsoft.Network/privateLinkServices/write",

               "Microsoft.Network/publicIPAddresses/delete",

               "Microsoft.Network/publicIPAddresses/join/action",

               "Microsoft.Network/publicIPAddresses/read",

               "Microsoft.Network/publicIPAddresses/write",

               "Microsoft.Network/routeTables/join/action",

               "Microsoft.Network/routeTables/read",

               "Microsoft.Network/routeTables/routes/delete",

               "Microsoft.Network/routeTables/routes/read",

               "Microsoft.Network/routeTables/routes/write",

               "Microsoft.Network/routeTables/write",

               "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",

               "Microsoft.Network/virtualNetworks/delete",

               "Microsoft.Network/virtualNetworks/join/action",

               "Microsoft.Network/virtualNetworks/peer/action",

               "Microsoft.Network/virtualNetworks/read",

               "Microsoft.Network/virtualNetworks/subnets/join/action",

               "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",

               "Microsoft.Network/virtualNetworks/subnets/read",

               "Microsoft.Network/virtualNetworks/subnets/write",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",

               "Microsoft.Network/virtualNetworks/write",

               "Microsoft.Resources/subscriptions/resourceGroups/delete",

               "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",

               "Microsoft.Resources/subscriptions/resourceGroups/read",

               "Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action",

               "Microsoft.Resources/subscriptions/resourceGroups/write",

               "Microsoft.Search/searchServices/sharedPrivateLinkResources/operationStatuses/read",

               "Microsoft.Search/searchServices/sharedPrivateLinkResources/read",

               "Microsoft.Search/searchServices/sharedPrivateLinkResources/write",

               "Microsoft.Sql/locations/*",

               "Microsoft.Sql/managedInstances/databases/delete",

               "Microsoft.Sql/managedInstances/databases/read",

               "Microsoft.Sql/managedInstances/databases/write",

               "Microsoft.Sql/managedInstances/encryptionProtector/read",

               "Microsoft.Sql/managedInstances/read",

               "Microsoft.Sql/servers/databases/azureAsyncOperation/read",

               "Microsoft.Sql/servers/databases/delete",

               "Microsoft.Sql/servers/databases/read",

               "Microsoft.Sql/servers/databases/syncGroups/read",

               "Microsoft.Sql/servers/databases/transparentDataEncryption/read",

               "Microsoft.Sql/servers/databases/usages/read",

               "Microsoft.Sql/servers/databases/write",

               "Microsoft.Sql/servers/elasticPools/read",

               "Microsoft.Sql/servers/encryptionProtector/read",

               "Microsoft.Sql/servers/read",

               "Microsoft.Storage/storageAccounts/blobServices/containers/read",

               "Microsoft.Storage/storageAccounts/blobServices/containers/write",

               "Microsoft.Storage/storageAccounts/blobServices/read",

               "Microsoft.Storage/storageAccounts/listKeys/action",

               "Microsoft.Storage/storageAccounts/managementPolicies/write",

               "Microsoft.Storage/storageAccounts/privateEndpointConnections/write",

               "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Storage/storageAccounts/queueServices/queues/delete",

               "Microsoft.Storage/storageAccounts/queueServices/queues/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/write",

               "Microsoft.Storage/storageAccounts/read",

               "Microsoft.Storage/storageAccounts/write"

       ],

       "notActions": [],

       "dataActions": [

               "Microsoft.KeyVault/vaults/keys/decrypt/action",

               "Microsoft.KeyVault/vaults/keys/encrypt/action",

               "Microsoft.KeyVault/vaults/keys/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write"

 

       ],

       "notDataActions": []

       }

   ]

}

 

Notes

  • The "Microsoft.Authorization/roleAssignments/read" permission is required for Veeam Backup for Microsoft Azure to be able to check all other permissions granted to the related service account, and to assign new permissions to this account.
  • The dataActions list of permissions is required only if you plan to use service accounts to manage backup repositories, and to encrypt data stored in backup repositories using the Azure Key Vault Service. Alternatively, you can assign the Key Vault Crypto Officer Azure built-in role to the Microsoft Entra application associated with the service account that you plan to use for backup repository management and data encryption with Azure Key Vault keys.

 

In This Section

Page updated 4/1/2025

Page content applies to build 8.0.0.334

View all results across Veeam
Back to document search