Veeam Backup for Microsoft Azure 3.0 [Archived]
User Guide
Related documents
Search
This is an archive version of the document. To get the most up-to-date information, see the current version.

Azure Service Account Permissions

Veeam Backup for Microsoft Azure uses service accounts to perform the following operations:

  • To enumerate resources added to backup policies.
  • To create snapshots and backups of Azure resources protected by policies.
  • To attach virtual disks to worker instances when performing image-level backup.
  • To restore Azure VMs, virtual disks and files and folders from cloud-native snapshots and image-level backups.
  • To restore SQL databases from SQL backups.
  • [Optional] To create and manage backup repositories.

Tip

You can manage backup repositories using service accounts, or create repository accounts. For more information on permissions required for repository accounts, see Azure Repository Account Permissions.

To get access to Azure resources that you want to protect, Azure service accounts must have the following permissions:

"permissions": [

{

 "actions": [

     "Microsoft.Authorization/roleAssignments/read",

     "Microsoft.Commerce/RateCard/read",

     "Microsoft.Compute/disks/beginGetAccess/action",

     "Microsoft.Compute/disks/delete",

     "Microsoft.Compute/disks/endGetAccess/action",

     "Microsoft.Compute/disks/read",

     "Microsoft.Compute/disks/write",

     "Microsoft.Compute/snapshots/beginGetAccess/action",

     "Microsoft.Compute/snapshots/delete",

     "Microsoft.Compute/snapshots/endGetAccess/action",

     "Microsoft.Compute/snapshots/read",

     "Microsoft.Compute/snapshots/write",

     "Microsoft.Compute/virtualMachines/deallocate/action",

     "Microsoft.Compute/virtualMachines/delete",

     "Microsoft.Compute/virtualMachines/extensions/read",

     "Microsoft.Compute/virtualMachines/extensions/write",

     "Microsoft.Compute/virtualMachines/read",

     "Microsoft.Compute/virtualMachines/runCommand/action",

     "Microsoft.Compute/virtualMachines/start/action",

     "Microsoft.Compute/virtualMachines/write",

     "Microsoft.DevTestLab/Schedules/write",

     "Microsoft.Network/loadBalancers/read",

     "Microsoft.Network/networkInterfaces/delete",

     "Microsoft.Network/networkInterfaces/join/action",

     "Microsoft.Network/networkInterfaces/read",

     "Microsoft.Network/networkInterfaces/write",

     "Microsoft.Network/networkSecurityGroups/join/action",

     "Microsoft.Network/networkSecurityGroups/read",

     "Microsoft.Network/publicIPAddresses/join/action",

     "Microsoft.Network/publicIPAddresses/read",

     "Microsoft.Network/publicIPAddresses/delete",

     "Microsoft.Network/publicIPAddresses/write",

     "Microsoft.Network/virtualNetworks/read",

     "Microsoft.Network/virtualNetworks/subnets/join/action",

     "Microsoft.Network/virtualNetworks/write",

     "Microsoft.Network/virtualNetworks/delete",

     "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",

     "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",

     "Microsoft.Resources/subscriptions/resourceGroups/delete",

     "Microsoft.Resources/subscriptions/resourceGroups/read",

     "Microsoft.Resources/subscriptions/resourceGroups/write",

     "Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListKeys/action",

     "Microsoft.ServiceBus/namespaces/queues/authorizationRules/read",

     "Microsoft.ServiceBus/namespaces/queues/authorizationRules/write",

     "Microsoft.ServiceBus/namespaces/queues/delete",

     "Microsoft.ServiceBus/namespaces/queues/read",

     "Microsoft.ServiceBus/namespaces/queues/write",

     "Microsoft.ServiceBus/namespaces/read",

     "Microsoft.ServiceBus/namespaces/write",

     "Microsoft.ServiceBus/register/action",

     "Microsoft.Sql/locations/*",

     "Microsoft.Sql/managedInstances/databases/delete",

     "Microsoft.Sql/managedInstances/databases/read",

     "Microsoft.Sql/managedInstances/databases/write",

     "Microsoft.Sql/managedInstances/encryptionProtector/read",

     "Microsoft.Sql/managedInstances/read",

     "Microsoft.Sql/servers/databases/azureAsyncOperation/read",

     "Microsoft.Sql/servers/databases/read",

     "Microsoft.Sql/servers/databases/transparentDataEncryption/read",

     "Microsoft.Sql/servers/databases/usages/read",

     "Microsoft.Sql/servers/databases/write",

     "Microsoft.Sql/servers/databases/delete",

     "Microsoft.Sql/servers/elasticPools/read",

     "Microsoft.Sql/servers/read",

     "Microsoft.Sql/servers/databases/syncGroups/read",

     "Microsoft.Sql/servers/encryptionProtector/read",      

     "Microsoft.Storage/storageAccounts/blobServices/read",

     "Microsoft.Storage/storageAccounts/listKeys/action",

     "Microsoft.Storage/storageAccounts/managementPolicies/write",

     "Microsoft.Storage/storageAccounts/read",

     "Microsoft.Storage/storageAccounts/write",

     "Microsoft.Authorization/roleDefinitions/write",

     "Microsoft.Compute/diskEncryptionSets/read",

     "Microsoft.KeyVault/vaults/read",

     "Microsoft.KeyVault/vaults/keys/versions/read",

     "Microsoft.KeyVault/vaults/deploy/action"      

    ]

  }

]

If you plan to use service accounts to manage backup repositories, to encrypt data stored in a backup repository using the Azure Key Vaults and keys, service accounts must be assigned the following permissions:

"dataActions": [

     "Microsoft.KeyVault/vaults/keys/read",

     "Microsoft.KeyVault/vaults/keys/encrypt/action",

     "Microsoft.KeyVault/vaults/keys/decrypt/action"

]

View all results across Veeam
Back to document search