Azure Service Account Permissions
Veeam Backup for Microsoft Azure uses service accounts to perform the following operations:
- To enumerate resources added to backup policies.
- To create snapshots and backups of Azure resources protected by policies.
- To attach virtual disks to worker instances when performing image-level backup.
- To restore Azure VMs, virtual disks and files and folders from cloud-native snapshots and image-level backups.
- To restore SQL databases from SQL backups.
- [Optional] To create and manage backup repositories.
Tip |
You can manage backup repositories using service accounts, or create repository accounts. For more information on permissions required for repository accounts, see Azure Repository Account Permissions. |
To get access to Azure resources that you want to protect, Azure service accounts must have the following permissions:
"permissions": [ { "actions": [ "Microsoft.Authorization/roleAssignments/read", "Microsoft.Commerce/RateCard/read", "Microsoft.Compute/disks/beginGetAccess/action", "Microsoft.Compute/disks/delete", "Microsoft.Compute/disks/endGetAccess/action", "Microsoft.Compute/disks/read", "Microsoft.Compute/disks/write", "Microsoft.Compute/snapshots/beginGetAccess/action", "Microsoft.Compute/snapshots/delete", "Microsoft.Compute/snapshots/endGetAccess/action", "Microsoft.Compute/snapshots/read", "Microsoft.Compute/snapshots/write", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/virtualMachines/extensions/read", "Microsoft.Compute/virtualMachines/extensions/write", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/runCommand/action", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/write", "Microsoft.DevTestLab/Schedules/write", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/networkInterfaces/delete", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/publicIPAddresses/delete", "Microsoft.Network/publicIPAddresses/write", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/write", "Microsoft.Network/virtualNetworks/delete", "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read", "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action", "Microsoft.Resources/subscriptions/resourceGroups/delete", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/subscriptions/resourceGroups/write", "Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListKeys/action", "Microsoft.ServiceBus/namespaces/queues/authorizationRules/read", "Microsoft.ServiceBus/namespaces/queues/authorizationRules/write", "Microsoft.ServiceBus/namespaces/queues/delete", "Microsoft.ServiceBus/namespaces/queues/read", "Microsoft.ServiceBus/namespaces/queues/write", "Microsoft.ServiceBus/namespaces/read", "Microsoft.ServiceBus/namespaces/write", "Microsoft.ServiceBus/register/action", "Microsoft.Sql/locations/*", "Microsoft.Sql/managedInstances/databases/delete", "Microsoft.Sql/managedInstances/databases/read", "Microsoft.Sql/managedInstances/databases/write", "Microsoft.Sql/managedInstances/encryptionProtector/read", "Microsoft.Sql/managedInstances/read", "Microsoft.Sql/servers/databases/azureAsyncOperation/read", "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/databases/transparentDataEncryption/read", "Microsoft.Sql/servers/databases/usages/read", "Microsoft.Sql/servers/databases/write", "Microsoft.Sql/servers/databases/delete", "Microsoft.Sql/servers/elasticPools/read", "Microsoft.Sql/servers/read", "Microsoft.Sql/servers/databases/syncGroups/read", "Microsoft.Sql/servers/encryptionProtector/read", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/managementPolicies/write", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/write", "Microsoft.Authorization/roleDefinitions/write", "Microsoft.Compute/diskEncryptionSets/read", "Microsoft.KeyVault/vaults/read", "Microsoft.KeyVault/vaults/keys/versions/read", "Microsoft.KeyVault/vaults/deploy/action" ] } ] |
If you plan to use service accounts to manage backup repositories, to encrypt data stored in a backup repository using the Azure Key Vaults and keys, service accounts must be assigned the following permissions:
"dataActions": [ "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/encrypt/action", "Microsoft.KeyVault/vaults/keys/decrypt/action" ] |