Service Account Permissions

Veeam Backup for Microsoft Azure uses service accounts to perform the following operations:

  • To enumerate resources added to backup policies.
  • To create snapshots and backups of Azure resources protected by policies.
  • To create and manage worker instances.
  • To create and manage backup repositories.
  • To attach virtual disks to worker instances when performing image-level backup.
  • To restore Azure VMs, virtual disks, and files and folders from cloud-native snapshots and image-level backups.
  • To restore Azure SQL databases and Cosmos DB accounts from backups.
  • To restore files of Azure file shares from cloud-native snapshots.
  • To create backups of Azure virtual network configurations.
  • To restore backups of Azure virtual network configurations from backups.

To allow your backup appliance to perform these operations, Microsoft Entra applications associated with service accounts that are added to Veeam Backup for Microsoft Azure must have the Contributor, Key Vault Crypto User and Storage Queue Data Contributor Azure built-in roles assigned. To learn how to create Microsoft Entra applications and assign Azure roles, see Microsoft Identity Platform and Azure RBAC documentation.

If you want the service account to have granular permissions, you can create a custom role in Microsoft Azure, grant the necessary permissions to this role, and then assign the role to the Microsoft Entra application instead of the built-in roles.

The following permissions are required for service accounts that will be used to perform all the listed operations:

 

{

"permissions": [

       {

       "actions": [

               "Microsoft.Authorization/locks/Read",

               "Microsoft.Authorization/roleAssignments/read",

               "Microsoft.Commerce/RateCard/read",

               "Microsoft.Compute/availabilitySets/read",

               "Microsoft.Compute/availabilitySets/vmSizes/read",

               "Microsoft.Compute/diskAccesses/delete",

               "Microsoft.Compute/diskAccesses/privateEndpointConnections/read",

               "Microsoft.Compute/diskAccesses/privateEndpointConnections/write",

               "Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Compute/diskAccesses/read",

               "Microsoft.Compute/diskAccesses/write",

               "Microsoft.Compute/diskEncryptionSets/read",

               "Microsoft.Compute/disks/beginGetAccess/action",

               "Microsoft.Compute/disks/delete",

               "Microsoft.Compute/disks/endGetAccess/action",

               "Microsoft.Compute/disks/read",

               "Microsoft.Compute/disks/write",

               "Microsoft.Compute/snapshots/beginGetAccess/action",

               "Microsoft.Compute/snapshots/delete",

               "Microsoft.Compute/snapshots/endGetAccess/action",

               "Microsoft.Compute/snapshots/read",

               "Microsoft.Compute/snapshots/write",

               "Microsoft.Compute/virtualMachines/deallocate/action",

               "Microsoft.Compute/virtualMachines/delete",

               "Microsoft.Compute/virtualMachines/extensions/delete",

               "Microsoft.Compute/virtualMachines/extensions/read",

               "Microsoft.Compute/virtualMachines/extensions/write",

               "Microsoft.Compute/virtualMachines/read",

               "Microsoft.Compute/virtualMachines/runCommand/action",

               "Microsoft.Compute/virtualMachines/start/action",

               "Microsoft.Compute/virtualMachines/write",

               "microsoft.dbforpostgresql/servergroupsv2/*/read",

               "microsoft.dbforpostgresql/servergroupsv2/*/write",

               "Microsoft.DevTestLab/Schedules/read",

               "Microsoft.DevTestLab/Schedules/write",

               "Microsoft.DocumentDB/databaseAccounts/delete",

               "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/read",

               "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/write",

               "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/read",

               "Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/write",

               "Microsoft.DocumentDB/databaseAccounts/metrics/read",

               "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read",

               "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write",

               "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read",

               "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write",

               "Microsoft.DocumentDB/databaseAccounts/read",

               "Microsoft.DocumentDB/databaseAccounts/restore/action",

               "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read",

               "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read",

               "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write",

               "Microsoft.DocumentDB/databaseAccounts/tables/read",

               "Microsoft.DocumentDB/databaseAccounts/tables/write",

               "Microsoft.DocumentDB/databaseAccounts/write",

               "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",

               "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read",

               "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",

               "Microsoft.Insights/eventtypes/values/Read",

               "Microsoft.Insights/MetricDefinitions/Read",

               "Microsoft.Insights/Metrics/Read",

               "Microsoft.KeyVault/vaults/deploy/action",

               "Microsoft.KeyVault/vaults/keys/versions/read",

               "Microsoft.KeyVault/vaults/read",

               "Microsoft.Network/ddosProtectionPlans/join/action",

               "Microsoft.Network/ddosProtectionPlans/read",

               "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

               "Microsoft.Network/loadBalancers/read",

               "Microsoft.Network/natGateways/join/action",

               "Microsoft.Network/natGateways/read",

               "Microsoft.Network/networkInterfaces/delete",

               "Microsoft.Network/networkInterfaces/join/action",

               "Microsoft.Network/networkInterfaces/read",

               "Microsoft.Network/networkInterfaces/write",

               "Microsoft.Network/networkSecurityGroups/join/action",

               "Microsoft.Network/networkSecurityGroups/read",

               "Microsoft.Network/networkSecurityGroups/securityRules/delete",

               "Microsoft.Network/networkSecurityGroups/securityRules/read",

               "Microsoft.Network/networkSecurityGroups/securityRules/write",

               "Microsoft.Network/networkSecurityGroups/write",

               "Microsoft.Network/privateDnsZones/delete",

               "Microsoft.Network/privateDnsZones/join/action",

               "Microsoft.Network/privateDnsZones/read",

               "Microsoft.Network/privateDnsZones/write",

               "Microsoft.Network/privateEndpoints/delete",

               "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",

               "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",

               "Microsoft.Network/privateEndpoints/read",

               "Microsoft.Network/privateEndpoints/write",

               "Microsoft.Network/privateLinkServices/delete",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/delete",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/read",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/write",

               "Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Network/privateLinkServices/read",

               "Microsoft.Network/privateLinkServices/write",

               "Microsoft.Network/publicIPAddresses/delete",

               "Microsoft.Network/publicIPAddresses/join/action",

               "Microsoft.Network/publicIPAddresses/read",

               "Microsoft.Network/publicIPAddresses/write",

               "Microsoft.Network/routeTables/join/action",

               "Microsoft.Network/routeTables/read",

               "Microsoft.Network/routeTables/routes/delete",

               "Microsoft.Network/routeTables/routes/read",

               "Microsoft.Network/routeTables/routes/write",

               "Microsoft.Network/routeTables/write",

               "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",

               "Microsoft.Network/virtualNetworks/delete",

               "Microsoft.Network/virtualNetworks/join/action",

               "Microsoft.Network/virtualNetworks/peer/action",

               "Microsoft.Network/virtualNetworks/read",

               "Microsoft.Network/virtualNetworks/subnets/join/action",

               "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",

               "Microsoft.Network/virtualNetworks/subnets/read",

               "Microsoft.Network/virtualNetworks/subnets/write",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",

               "Microsoft.Network/virtualNetworks/write",

               "Microsoft.Resources/subscriptions/resourceGroups/delete",

               "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",

               "Microsoft.Resources/subscriptions/resourceGroups/read",

               "Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action",

               "Microsoft.Resources/subscriptions/resourceGroups/write",

               "Microsoft.Search/searchServices/sharedPrivateLinkResources/operationStatuses/read",

               "Microsoft.Search/searchServices/sharedPrivateLinkResources/read",

               "Microsoft.Search/searchServices/sharedPrivateLinkResources/write",

               "Microsoft.Sql/locations/*",

               "Microsoft.Sql/managedInstances/databases/delete",

               "Microsoft.Sql/managedInstances/databases/read",

               "Microsoft.Sql/managedInstances/databases/write",

               "Microsoft.Sql/managedInstances/encryptionProtector/read",

               "Microsoft.Sql/managedInstances/read",

               "Microsoft.Sql/servers/databases/azureAsyncOperation/read",

               "Microsoft.Sql/servers/databases/delete",

               "Microsoft.Sql/servers/databases/read",

               "Microsoft.Sql/servers/databases/syncGroups/read",

               "Microsoft.Sql/servers/databases/transparentDataEncryption/read",

               "Microsoft.Sql/servers/databases/usages/read",

               "Microsoft.Sql/servers/databases/write",

               "Microsoft.Sql/servers/elasticPools/read",

               "Microsoft.Sql/servers/encryptionProtector/read",

               "Microsoft.Sql/servers/read",

               "Microsoft.Storage/storageAccounts/blobServices/containers/read",

               "Microsoft.Storage/storageAccounts/blobServices/containers/write",

               "Microsoft.Storage/storageAccounts/blobServices/read",

               "Microsoft.Storage/storageAccounts/listKeys/action",

               "Microsoft.Storage/storageAccounts/managementPolicies/write",

               "Microsoft.Storage/storageAccounts/privateEndpointConnections/write",

               "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Storage/storageAccounts/queueServices/queues/delete",

               "Microsoft.Storage/storageAccounts/queueServices/queues/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/write",

               "Microsoft.Storage/storageAccounts/read",

               "Microsoft.Storage/storageAccounts/write"

       ],

       "notActions": [],

       "dataActions": [

               "Microsoft.KeyVault/vaults/keys/decrypt/action",

               "Microsoft.KeyVault/vaults/keys/encrypt/action",

               "Microsoft.KeyVault/vaults/keys/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",

               "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write"

 

       ],

       "notDataActions": []

       }

   ]

}

 

Note

The dataActions list of permissions is required only if you plan to use service accounts to manage backup repositories, and to encrypt data stored in backup repositories using the Azure Key Vault Service. Alternatively, you can assign the Key Vault Crypto Officer Azure built-in role to the Microsoft Entra application associated with the service account that you plan to use for backup repository management and data encryption with Azure Key Vault keys.

 

In This Section

Page updated 10/29/2024

Page content applies to build 7.1.0.22