Permissions for Azure Archiver Appliance

Veeam Backup for Microsoft 365 allows you to use the Azure archiver appliance when the product copies backed-up data between different instances of Azure Blob Storage or to Azure Blob Storage Archive. To enable usage of the Azure archiver appliance, the Microsoft Azure service account is required.

The user account that you use to create Azure AD application for the Microsoft Azure service account must have the Application administrator role, must be Owner and must not be Contributor of Microsoft Azure subscription that you selected for the Microsoft Azure service account.

If you prefer to use a custom application of your own for the Microsoft Azure service account, the following are minimal required permissions for this Azure AD application:

{

   "properties": {

       "roleName": "APPLICATION_MINIMAL_PERMISSIONS",

       "description": "APPLICATION_MINIMAL_PERMISSIONS",

       "assignableScopes": [

           "/subscriptions/*"

       ],

       "permissions": [

           {

               "actions": [

                 "Microsoft.ApiManagement/service/subscriptions/read",

                 "Microsoft.Storage/storageAccounts/read",

                 "Microsoft.Resources/subscriptions/resourceGroups/read",

                 "Microsoft.Resources/subscriptions/resourceGroups/write",

                 "Microsoft.Compute/virtualMachines/*",

                 "Microsoft.Network/virtualNetworks/read",

                 "Microsoft.Network/virtualNetworks/write",

                 "Microsoft.Network/virtualNetworks/subnets/join/action",

                 "Microsoft.Network/networkSecurityGroups/read",

                 "Microsoft.Network/networkSecurityGroups/write",

                 "Microsoft.Network/networkSecurityGroups/join/action",

                 "Microsoft.Network/publicIPAddresses/read",

                 "Microsoft.Network/publicIPAddresses/write",

                 "Microsoft.Network/publicIPAddresses/delete",

                 "Microsoft.Network/publicIPAddresses/join/action",

                 "Microsoft.Network/networkInterfaces/*",

                 "Microsoft.Compute/disks/delete"                  

               ],

               "notActions": [],

               "dataActions": [],

               "notDataActions": []

           }

       ]

   }

}

 

Related Topics