Make sure user accounts that you plan to use have permissions described in this section.
The user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in the Installing and Using Veeam Backup & Replication section in the Veeam Backup & Replication User Guide.
If you plan to connect to a tenant using Remote Access Console, you must run the console as administrator.
To deploy or connect to a Veeam Backup for Microsoft Azure appliance, you specify an Azure user account. The Azure user account must be registered in the Global or Government region. Note that the Government region is supported starting from Microsoft Azure Plug-in for Veeam Backup & Replication version 22.214.171.124. This account must have the following permissions:
- If you add an existing account, check the permissions listed in the Veeam Backup for Microsoft Azure User Guide.
- If you create a new account, Veeam Backup & Replication assigns this account the Owner and Key Vault Crypto User roles. These roles are sufficient to perform further operations.
To perform data protection and disaster recovery operations, Microsoft Azure Plug-in for Veeam Backup & Replication uses an Azure service account.
If you deploy a new Veeam Backup for Microsoft Azure appliance from the Veeam Backup & Replication console, the Default service account is created automatically. This service account is granted all the necessary permissions to perform operations within the Azure user account — to back up any VMs, SQL databases or other resources within the account, to store backups in Blob storage containers, and so on.
If you connect to an existing appliance or upgrade an already added appliance, make sure that the service accounts added to the appliance have the following roles and permissions assigned:
- The Contributor role. For more information on built-in roles, see Microsoft Docs.
- The following custom roles: Veeam Service Account and Veeam Repository Account.
- If you have disabled the Users can register applications option on the Microsoft Azure portal, make sure that the service account has the Application Developer, Application Administrator or Global Administrator role. For more information on role permissions, see Microsoft Docs.
- To be able to use Azure Key Vaults and keys, the service account must have the following permissions:
For more information on how to add service accounts and which permissions are required when adding them, see the Adding Azure Service Account section in the Veeam Backup for Microsoft Azure User Guide.
The Azure SQL account that you plan to use when restoring Microsoft Azure databases must have administrative permissions on Azure SQL servers or Azure SQL Managed Instances to which you restore databases.
The AWS user account that you plan to use when restoring Azure VMs to Amazon EC2 must have permissions described in the AWS IAM User Permissions section of the Veeam Backup & Replication User Guide.
The IAM service account that you plan to use to connect to Google Cloud Platform must be granted roles described in the Google Cloud Platform IAM User Permissions section in the Veeam Backup & Replication User Guide.
If you plan to copy backups to on-premises repositories, to perform restore to VMware vSphere or Microsoft Hyper-V, or to perform other tasks related to virtualization servers or hosts, you must check that the user account specified for these servers and host has the required permissions. These permissions are listed in the Using Virtualization Servers and Hosts section in the User Guide for VMware vSphere and in the Using Virtualization Servers and Hosts section in the User Guide for Microsoft Hyper-V.