Service Account Permissions

Veeam Data Cloud for Microsoft Azure uses service accounts to perform the following operations:

  • To enumerate resources added to backup policies.
  • To create snapshots and backups of Azure resources.
  • To add and manage backup repositories.
  • To attach virtual disks to worker instances when performing image-level backup.
  • To restore Azure VMs, virtual disks, and files and folders from snapshots and backups.
  • To restore Azure SQL databases from backups.
  • To restore files of Azure file shares from snapshots.
  • To create backups of Azure virtual network configurations.
  • To restore backups of Azure virtual network configurations from backups.

To allow your backup appliance to perform these operations, service accounts that will be used to access Azure resources must be added to Veeam Data Cloud for Microsoft Azure as described in section Creating Service Accounts. You can create a new Microsoft Entra application and connect it to the service account or use a Microsoft Entra application that already exists in Microsoft Azure.

{

"permissions": [

       {

       "actions": [

               "Microsoft.Authorization/locks/Read",

               "Microsoft.Authorization/roleAssignments/read",

               "Microsoft.Compute/availabilitySets/read",

               "Microsoft.Compute/availabilitySets/vmSizes/read",

               "Microsoft.Compute/diskAccesses/delete",

               "Microsoft.Compute/diskAccesses/privateEndpointConnections/read",

               "Microsoft.Compute/diskAccesses/privateEndpointConnections/write",

               "Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Compute/diskAccesses/read",

               "Microsoft.Compute/diskAccesses/write",

               "Microsoft.Compute/diskEncryptionSets/read",

               "Microsoft.Compute/disks/beginGetAccess/action",

               "Microsoft.Compute/disks/delete",

               "Microsoft.Compute/disks/endGetAccess/action",

               "Microsoft.Compute/disks/read",

               "Microsoft.Compute/disks/write",

               "Microsoft.Compute/snapshots/beginGetAccess/action",

               "Microsoft.Compute/snapshots/delete",

               "Microsoft.Compute/snapshots/endGetAccess/action",

               "Microsoft.Compute/snapshots/read",

               "Microsoft.Compute/snapshots/write",

               "Microsoft.Compute/virtualMachines/deallocate/action",

               "Microsoft.Compute/virtualMachines/delete",

               "Microsoft.Compute/virtualMachines/read",

               "Microsoft.Compute/virtualMachines/runCommand/action",

               "Microsoft.Compute/virtualMachines/write",

               "Microsoft.DevTestLab/Schedules/read",

               "Microsoft.DevTestLab/Schedules/write",

               "Microsoft.Network/ddosProtectionPlans/join/action",

               "Microsoft.Network/ddosProtectionPlans/read",

               "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

               "Microsoft.Network/loadBalancers/read",

               "Microsoft.Network/natGateways/join/action",

               "Microsoft.Network/natGateways/read",

               "Microsoft.Network/networkInterfaces/delete",

               "Microsoft.Network/networkInterfaces/join/action",

               "Microsoft.Network/networkInterfaces/read",

               "Microsoft.Network/networkInterfaces/write",

               "Microsoft.Network/networkSecurityGroups/join/action",

               "Microsoft.Network/networkSecurityGroups/read",

               "Microsoft.Network/networkSecurityGroups/securityRules/delete",

               "Microsoft.Network/networkSecurityGroups/securityRules/read",

               "Microsoft.Network/networkSecurityGroups/securityRules/write",

               "Microsoft.Network/networkSecurityGroups/write",

               "Microsoft.Network/privateDnsZones/delete",

               "Microsoft.Network/privateDnsZones/join/action",

               "Microsoft.Network/privateDnsZones/read",

               "Microsoft.Network/privateDnsZones/write",

               "Microsoft.Network/privateEndpoints/delete",

               "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",

               "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",

               "Microsoft.Network/privateEndpoints/read",

               "Microsoft.Network/privateEndpoints/write",

               "Microsoft.Network/privateLinkServices/delete",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/delete",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/read",

               "Microsoft.Network/privateLinkServices/privateEndpointConnections/write",

               "Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Network/privateLinkServices/read",

               "Microsoft.Network/privateLinkServices/write",

               "Microsoft.Network/publicIPAddresses/join/action",

               "Microsoft.Network/publicIPAddresses/read",

               "Microsoft.Network/publicIPAddresses/write",

               "Microsoft.Network/routeTables/join/action",

               "Microsoft.Network/routeTables/read",

               "Microsoft.Network/routeTables/routes/delete",

               "Microsoft.Network/routeTables/routes/read",

               "Microsoft.Network/routeTables/routes/write",

               "Microsoft.Network/routeTables/write",

               "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",

               "Microsoft.Network/virtualNetworks/join/action",

               "Microsoft.Network/virtualNetworks/peer/action",

               "Microsoft.Network/virtualNetworks/read",

               "Microsoft.Network/virtualNetworks/subnets/join/action",

               "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",

               "Microsoft.Network/virtualNetworks/subnets/read",

               "Microsoft.Network/virtualNetworks/subnets/write",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",

               "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",

               "Microsoft.Network/virtualNetworks/write",

               "Microsoft.Resources/subscriptions/resourceGroups/delete",

               "Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",

               "Microsoft.Resources/subscriptions/resourceGroups/read",

               "Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources/action",

               "Microsoft.Resources/subscriptions/resourceGroups/write",

               "Microsoft.Sql/locations/*",

               "Microsoft.Sql/managedInstances/databases/delete",

               "Microsoft.Sql/managedInstances/databases/read",

               "Microsoft.Sql/managedInstances/databases/write",

               "Microsoft.Sql/managedInstances/encryptionProtector/read",

               "Microsoft.Sql/managedInstances/read",

               "Microsoft.Sql/servers/databases/azureAsyncOperation/read",

               "Microsoft.Sql/servers/databases/delete",

               "Microsoft.Sql/servers/databases/read",

               "Microsoft.Sql/servers/databases/syncGroups/read",

               "Microsoft.Sql/servers/databases/transparentDataEncryption/read",

               "Microsoft.Sql/servers/databases/usages/read",

               "Microsoft.Sql/servers/databases/write",

               "Microsoft.Sql/servers/elasticPools/read",

               "Microsoft.Sql/servers/encryptionProtector/read",

               "Microsoft.Sql/servers/read",

               "Microsoft.Storage/storageAccounts/listKeys/action",

               "Microsoft.Storage/storageAccounts/privateEndpointConnections/write",

               "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",

               "Microsoft.Storage/storageAccounts/read",

               "Microsoft.Storage/storageAccounts/write"

       ],

       "notActions": [],

       "dataActions": [],

       "notDataActions": []

       }

   ]

}

 

In This Section