Permissions

Veeam Data Cloud for Microsoft Azure uses a service account to perform the following operations:

To enumerate resources added to backup policies.
To create snapshots and backups of Azure resources.
To add and manage backup repositories.
To attach virtual disks to worker instances when performing image-level backup.
To restore Azure VMs, virtual disks, and files and folders from snapshots and backups.
To restore Azure SQL databases from backups.
To restore files of Azure file shares from snapshots.
To perform point-in-time restore of Cosmos DB accounts from continuous backups.

The service account has the following permissions that allow Veeam Data Cloud for Microsoft Azure to back up and restore Azure resources.

{

"permissions": [

{

"actions": [

"Microsoft.Authorization/locks/Read",

"Microsoft.Authorization/roleAssignments/read",

"Microsoft.Compute/availabilitySets/read",

"Microsoft.Compute/availabilitySets/vmSizes/read",

"Microsoft.Compute/diskAccesses/delete",

"Microsoft.Compute/diskAccesses/privateEndpointConnections/read",

"Microsoft.Compute/diskAccesses/privateEndpointConnections/write",

"Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action",

"Microsoft.Compute/diskAccesses/read",

"Microsoft.Compute/diskAccesses/write",

"Microsoft.Compute/diskEncryptionSets/read",

"Microsoft.Compute/disks/beginGetAccess/action",

"Microsoft.Compute/disks/delete",

"Microsoft.Compute/disks/endGetAccess/action",

"Microsoft.Compute/disks/read",

"Microsoft.Compute/disks/write",

"Microsoft.Compute/snapshots/beginGetAccess/action",

"Microsoft.Compute/snapshots/delete",

"Microsoft.Compute/snapshots/endGetAccess/action",

"Microsoft.Compute/snapshots/read",

"Microsoft.Compute/snapshots/write",

"Microsoft.Compute/virtualMachines/deallocate/action",

"Microsoft.Compute/virtualMachines/delete",

"Microsoft.Compute/virtualMachines/read",

"Microsoft.Compute/virtualMachines/runCommand/action",

"Microsoft.Compute/virtualMachines/write",
"Microsoft.DBforPostgreSQL/serverGroupsv2/*/read",

"Microsoft.DBforPostgreSQL/serverGroupsv2/*/write",

"Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnections/read",

"Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnections/write",

"Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnectionsApproval/action",

"Microsoft.DevTestLab/Schedules/read",
"Microsoft.DevTestLab/Schedules/write",

"Microsoft.DocumentDB/databaseAccounts/delete",

"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/read",

"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/graphs/write",

"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/read",

"Microsoft.DocumentDB/databaseAccounts/gremlinDatabases/write",

"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action",

"Microsoft.DocumentDB/databaseAccounts/metrics/read",

"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read",

"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/read",

"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write",

"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read",

"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/throughputSettings/read",

"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write",

"Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/read",

"Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/write",

"Microsoft.DocumentDB/databaseAccounts/privateEndpointConnectionsApproval/action",

"Microsoft.DocumentDB/databaseAccounts/read",

"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read",

"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read",

"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write",

"Microsoft.DocumentDB/databaseAccounts/tables/read",

"Microsoft.DocumentDB/databaseAccounts/tables/write",

"Microsoft.DocumentDB/databaseAccounts/write",

"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",

"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read",

"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
"Microsoft.Insights/eventtypes/values/Read",
"Microsoft.Insights/Metrics/Read",

"Microsoft.Network/loadBalancers/backendAddressPools/join/action",

"Microsoft.Network/loadBalancers/read",

"Microsoft.Network/networkInterfaces/delete",

"Microsoft.Network/networkInterfaces/join/action",

"Microsoft.Network/networkInterfaces/read",

"Microsoft.Network/networkInterfaces/write",

"Microsoft.Network/networkSecurityGroups/join/action",

"Microsoft.Network/networkSecurityGroups/read",

"Microsoft.Network/privateEndpoints/delete",

"Microsoft.Network/privateEndpoints/read",

"Microsoft.Network/privateEndpoints/write",

"Microsoft.Network/privateLinkServices/privateEndpointConnections/delete",

"Microsoft.Network/privateLinkServices/privateEndpointConnections/read",

"Microsoft.Network/privateLinkServices/privateEndpointConnections/write",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Network/publicIPAddresses/read",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/routeTables/join/action",

"Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",

"Microsoft.Network/virtualNetworks/read",

"Microsoft.Network/virtualNetworks/subnets/join/action",

"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",

"Microsoft.Network/virtualNetworks/write",
"Microsoft.Quota/quotas/read",

"Microsoft.Resources/subscriptions/resourceGroups/delete",

"Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",

"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action",

"Microsoft.Resources/subscriptions/resourceGroups/write",

"Microsoft.Sql/locations/*",

"Microsoft.Sql/managedInstances/databases/delete",

"Microsoft.Sql/managedInstances/databases/read",

"Microsoft.Sql/managedInstances/databases/write",

"Microsoft.Sql/managedInstances/encryptionProtector/read",
"Microsoft.Sql/managedInstances/privateEndpointConnections/read",
"Microsoft.Sql/managedInstances/privateEndpointConnections/write",

"Microsoft.Sql/managedInstances/read",

"Microsoft.Sql/servers/databases/azureAsyncOperation/read",

"Microsoft.Sql/servers/databases/delete",

"Microsoft.Sql/servers/databases/read",

"Microsoft.Sql/servers/databases/syncGroups/read",

"Microsoft.Sql/servers/databases/transparentDataEncryption/read",

"Microsoft.Sql/servers/databases/usages/read",

"Microsoft.Sql/servers/databases/write",

"Microsoft.Sql/servers/elasticPools/read",

"Microsoft.Sql/servers/encryptionProtector/read",
"Microsoft.Sql/servers/privateEndpointConnections/read",
"Microsoft.Sql/servers/privateEndpointConnections/write",
"Microsoft.Sql/servers/privateEndpointConnectionsApproval/action",

"Microsoft.Sql/servers/read",

"Microsoft.Storage/storageAccounts/listKeys/action",

"Microsoft.Storage/storageAccounts/privateEndpointConnections/write",

"Microsoft.Storage/storageAccounts/privateEndpointConnectionsApproval/action",

"Microsoft.Storage/storageAccounts/read",

"Microsoft.Storage/storageAccounts/write"

"notActions": [],

"dataActions": [],

"notDataActions": []

}

]

}