Azure Service Account Permissions

In this article

    Veeam Backup for Microsoft Azure uses service accounts to perform the following operations:

    • To enumerate resources added to a backup policy.
    • To create cloud-native snapshots of Azure VMs protected by the policy.
    • To create virtual disks and attaching the disks to worker instances when performing image-level backup.
    • [Optional] To create and manage backup repositories.

    Tip

    If you want to assign granular permissions to your Azure Accounts, you can create a separate Repository Account that will manage backup repositories. For more information on permissions required for repository accounts, see Azure Repository Account Permissions.

    To get access to Azure resources that you want to protect, Azure service accounts must have the following permissions:

    Microsoft.Authorization/roleAssignments/read

     "actions": [

          "Microsoft.Authorization/roleAssignments/read",

         "Microsoft.Commerce/RateCard/read",

         "Microsoft.Compute/disks/beginGetAccess/action",

         "Microsoft.Compute/disks/delete",

         "Microsoft.Compute/disks/endGetAccess/action",

         "Microsoft.Compute/disks/read",

         "Microsoft.Compute/disks/write",

         "Microsoft.Compute/snapshots/beginGetAccess/action",

         "Microsoft.Compute/snapshots/delete",

         "Microsoft.Compute/snapshots/endGetAccess/action",

         "Microsoft.Compute/snapshots/read",

         "Microsoft.Compute/snapshots/write",

         "Microsoft.Compute/virtualMachines/deallocate/action",

         "Microsoft.Compute/virtualMachines/delete",

         "Microsoft.Compute/virtualMachines/extensions/read",

         "Microsoft.Compute/virtualMachines/extensions/write",

         "Microsoft.Compute/virtualMachines/read",

         "Microsoft.Compute/virtualMachines/runCommand/action",

         "Microsoft.Compute/virtualMachines/start/action",

         "Microsoft.Compute/virtualMachines/write",

         "Microsoft.DevTestLab/Schedules/write",

         "Microsoft.Network/networkInterfaces/delete",

         "Microsoft.Network/networkInterfaces/join/action",

         "Microsoft.Network/networkInterfaces/read",

         "Microsoft.Network/networkInterfaces/write",

         "Microsoft.Network/networkSecurityGroups/join/action",

         "Microsoft.Network/networkSecurityGroups/read",

         "Microsoft.Network/publicIPAddresses/join/action",

         "Microsoft.Network/publicIPAddresses/read",

         "Microsoft.Network/publicIPAddresses/delete",

         "Microsoft.Network/publicIPAddresses/write",

         "Microsoft.Network/virtualNetworks/read",

         "Microsoft.Network/virtualNetworks/subnets/join/action",

         "Microsoft.Network/virtualNetworks/write",

         "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",

         "Microsoft.Resources/subscriptions/resourceGroups/delete",

         "Microsoft.Resources/subscriptions/resourceGroups/read",

         "Microsoft.Resources/subscriptions/resourceGroups/write",

         "Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListKeys/action",

         "Microsoft.ServiceBus/namespaces/queues/authorizationRules/read",

         "Microsoft.ServiceBus/namespaces/queues/authorizationRules/write",

         "Microsoft.ServiceBus/namespaces/queues/delete",

         "Microsoft.ServiceBus/namespaces/queues/read",

         "Microsoft.ServiceBus/namespaces/queues/write",

         "Microsoft.ServiceBus/namespaces/read",

         "Microsoft.ServiceBus/namespaces/write",

         "Microsoft.ServiceBus/register/action",

         "Microsoft.Sql/locations/*",

         "Microsoft.Sql/managedInstances/databases/delete",

         "Microsoft.Sql/managedInstances/databases/read",

         "Microsoft.Sql/managedInstances/databases/write",

         "Microsoft.Sql/managedInstances/encryptionProtector/read",

         "Microsoft.Sql/managedInstances/read",

         "Microsoft.Sql/servers/databases/azureAsyncOperation/read",

         "Microsoft.Sql/servers/databases/read",

         "Microsoft.Sql/servers/databases/transparentDataEncryption/read",

         "Microsoft.Sql/servers/databases/usages/read",

         "Microsoft.Sql/servers/databases/write",

         "Microsoft.Sql/servers/databases/delete",

         "Microsoft.Sql/servers/elasticPools/read",

         "Microsoft.Sql/servers/read",

         "Microsoft.Storage/storageAccounts/blobServices/read",

         "Microsoft.Storage/storageAccounts/listKeys/action",

         "Microsoft.Storage/storageAccounts/managementPolicies/write",

         "Microsoft.Storage/storageAccounts/read",

         "Microsoft.Storage/storageAccounts/write",

         "Microsoft.Authorization/roleDefinitions/write",

         "Microsoft.Sql/servers/encryptionProtector/read",

         "Microsoft.Compute/diskEncryptionSets/read",

         "Microsoft.KeyVault/vaults/read",

         "Microsoft.KeyVault/vaults/keys/versions/read",

         "Microsoft.KeyVault/vaults/deploy/action",

         "Microsoft.Sql/servers/databases/syncGroups/read"

    ]

    If you plan to use service accounts to manage backup repositories, to encrypt data stored in a backup repository using the Azure Key Vaults and keys, service accounts must be assigned the following permissions:

    "dataActions": [

         "Microsoft.KeyVault/vaults/keys/read",

         "Microsoft.KeyVault/vaults/keys/encrypt/action",

         "Microsoft.KeyVault/vaults/keys/decrypt/action"

    ]