Service Account Permissions
Veeam Data Cloud for Microsoft Azure uses service accounts to perform the following operations:
- To enumerate resources added to backup policies.
- To create snapshots and backups of Azure resources.
- To add and manage backup repositories.
- To attach virtual disks to worker instances when performing image-level backup.
- To restore Azure VMs, virtual disks, and files and folders from snapshots and backups.
- To restore Azure SQL databases from backups.
- To restore files of Azure file shares from snapshots.
- To create backups of Azure virtual network configurations.
- To restore backups of Azure virtual network configurations from backups.
To allow your backup appliance to perform these operations, service accounts that will be used to access Azure resources must be added to Veeam Data Cloud for Microsoft Azure as described in section Creating Service Accounts. You can create a new Microsoft Entra application and connect it to the service account or use a Microsoft Entra application that already exists in Microsoft Azure.
- If you choose to create a new Microsoft Entra application, you will not have to take any additional configuration steps since Veeam Data Cloud for Microsoft Azure will grant all the required permissions automatically.
- If you choose to use an existing Microsoft Entra application, you will have to make sure the application has the following permissions granted:
{ "permissions": [ { "actions": [ "Microsoft.Authorization/locks/Read", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Compute/availabilitySets/read", "Microsoft.Compute/availabilitySets/vmSizes/read", "Microsoft.Compute/diskAccesses/delete", "Microsoft.Compute/diskAccesses/privateEndpointConnections/read", "Microsoft.Compute/diskAccesses/privateEndpointConnections/write", "Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action", "Microsoft.Compute/diskAccesses/read", "Microsoft.Compute/diskAccesses/write", "Microsoft.Compute/diskEncryptionSets/read", "Microsoft.Compute/disks/beginGetAccess/action", "Microsoft.Compute/disks/delete", "Microsoft.Compute/disks/endGetAccess/action", "Microsoft.Compute/disks/read", "Microsoft.Compute/disks/write", "Microsoft.Compute/snapshots/beginGetAccess/action", "Microsoft.Compute/snapshots/delete", "Microsoft.Compute/snapshots/endGetAccess/action", "Microsoft.Compute/snapshots/read", "Microsoft.Compute/snapshots/write", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/runCommand/action", "Microsoft.Compute/virtualMachines/write", "Microsoft.DevTestLab/Schedules/read", "Microsoft.DevTestLab/Schedules/write", "Microsoft.Network/ddosProtectionPlans/join/action", "Microsoft.Network/ddosProtectionPlans/read", "Microsoft.Network/loadBalancers/backendAddressPools/join/action", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/natGateways/join/action", "Microsoft.Network/natGateways/read", "Microsoft.Network/networkInterfaces/delete", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkSecurityGroups/securityRules/delete", "Microsoft.Network/networkSecurityGroups/securityRules/read", "Microsoft.Network/networkSecurityGroups/securityRules/write", "Microsoft.Network/networkSecurityGroups/write", "Microsoft.Network/privateDnsZones/delete", "Microsoft.Network/privateDnsZones/join/action", "Microsoft.Network/privateDnsZones/read", "Microsoft.Network/privateDnsZones/write", "Microsoft.Network/privateEndpoints/delete", "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read", "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write", "Microsoft.Network/privateEndpoints/read", "Microsoft.Network/privateEndpoints/write", "Microsoft.Network/privateLinkServices/delete", "Microsoft.Network/privateLinkServices/privateEndpointConnections/delete", "Microsoft.Network/privateLinkServices/privateEndpointConnections/read", "Microsoft.Network/privateLinkServices/privateEndpointConnections/write", "Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action", "Microsoft.Network/privateLinkServices/read", "Microsoft.Network/privateLinkServices/write", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/publicIPAddresses/write", "Microsoft.Network/routeTables/join/action", "Microsoft.Network/routeTables/read", "Microsoft.Network/routeTables/routes/delete", "Microsoft.Network/routeTables/routes/read", "Microsoft.Network/routeTables/routes/write", "Microsoft.Network/routeTables/write", "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read", "Microsoft.Network/virtualNetworks/join/action", "Microsoft.Network/virtualNetworks/peer/action", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", "Microsoft.Network/virtualNetworks/write", "Microsoft.Resources/subscriptions/resourceGroups/delete", "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action", "Microsoft.Resources/subscriptions/resourceGroups/write", "Microsoft.Sql/locations/*", "Microsoft.Sql/managedInstances/databases/delete", "Microsoft.Sql/managedInstances/databases/read", "Microsoft.Sql/managedInstances/databases/write", "Microsoft.Sql/managedInstances/encryptionProtector/read", "Microsoft.Sql/managedInstances/read", "Microsoft.Sql/servers/databases/azureAsyncOperation/read", "Microsoft.Sql/servers/databases/delete", "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/databases/syncGroups/read", "Microsoft.Sql/servers/databases/transparentDataEncryption/read", "Microsoft.Sql/servers/databases/usages/read", "Microsoft.Sql/servers/databases/write", "Microsoft.Sql/servers/elasticPools/read", "Microsoft.Sql/servers/encryptionProtector/read", "Microsoft.Sql/servers/read", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/privateEndpointConnections/write", "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/write" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } |
In This Section
