Worker Permissions
To allow Veeam Backup for Microsoft Azure to launch a worker instance in an Azure AD tenant and to access the instance when performing backup and restore operations, the service account that will be used to manage the worker instance must have the following permissions:
{ "permissions": [ { "actions": [ "Microsoft.Authorization/roleAssignments/read", "Microsoft.Commerce/RateCard/read", "Microsoft.Compute/diskAccesses/delete", "Microsoft.Compute/diskAccesses/privateEndpointConnections/read", "Microsoft.Compute/diskAccesses/privateEndpointConnections/write", "Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action", "Microsoft.Compute/diskAccesses/read", "Microsoft.Compute/diskAccesses/write", "Microsoft.Compute/disks/delete", "Microsoft.Compute/disks/read", "Microsoft.Compute/disks/write", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/virtualMachines/extensions/read", "Microsoft.Compute/virtualMachines/extensions/write", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/write", "Microsoft.Insights/eventtypes/values/Read", "Microsoft.Insights/MetricDefinitions/Read", "Microsoft.Insights/Metrics/Read", "Microsoft.Network/networkInterfaces/delete", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/privateEndpoints/delete", "Microsoft.Network/privateEndpoints/read", "Microsoft.Network/privateEndpoints/write", "Microsoft.Network/privateLinkServices/privateEndpointConnections/delete", "Microsoft.Network/privateLinkServices/privateEndpointConnections/read", "Microsoft.Network/privateLinkServices/privateEndpointConnections/write", "Microsoft.Network/publicIPAddresses/delete", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/publicIPAddresses/write", "Microsoft.Network/virtualNetworks/delete", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", "Microsoft.Network/virtualNetworks/write", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ServiceBus/namespaces/delete", "Microsoft.ServiceBus/namespaces/networkrulesets/delete", "Microsoft.ServiceBus/namespaces/networkrulesets/read", "Microsoft.ServiceBus/namespaces/networkrulesets/write", "Microsoft.ServiceBus/namespaces/operationresults/read", "Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListKeys/action", "Microsoft.ServiceBus/namespaces/queues/authorizationRules/read", "Microsoft.ServiceBus/namespaces/queues/authorizationRules/write", "Microsoft.ServiceBus/namespaces/queues/delete", "Microsoft.ServiceBus/namespaces/queues/read", "Microsoft.ServiceBus/namespaces/queues/write", "Microsoft.ServiceBus/namespaces/read", "Microsoft.ServiceBus/namespaces/write", "Microsoft.ServiceBus/register/action", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/managementPolicies/write", "Microsoft.Storage/storageAccounts/privateEndpointConnections/write", "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action", "Microsoft.Storage/storageAccounts/queueServices/queues/delete", "Microsoft.Storage/storageAccounts/queueServices/queues/read", "Microsoft.Storage/storageAccounts/queueServices/queues/write", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/write" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete", "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read", "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write"
], "notDataActions": [] } ] } |