https://login.veeam.com/en/oauth?client_id=nXojRrypJ8&redirect_uri=https%3A%2F%2Fwww.veeam.com%2Fservices%2Fauthentication%2Fredirect_url&response_type=code&scope=profile&state=eyJmaW5hbFJlZGlyZWN0TG9jYXRpb24iOiJodHRwczovL3d3dy52ZWVhbS5jb20va2IyNzAyIiwiaGFzaCI6Ijk4YWNiNmI2LTY5NzEtNDU0Yy05ZDgxLTAxZWY4NDgxYmE5NiJ9
1-800-691-1991 | 9am - 8pm ET
EN

Granular permissions for Microsoft Azure user

Challenge

Microsoft Azure has a number of built-in roles with predefined permissions. If you prefer to set up a custom role for Veeam Integration, you can use Azure PowerShell method to create one.
 

Solution

Setting up a custom role for Veeam Backup & Replication consists of two steps:

NOTE: Please be informed of a possible vulnerability before proceeding futher.

1. Creating a custom role on Microsoft Azure

You can specify the minimum permissions set using the following script:  
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()
$role.Name = 'Veeam Restore Operator'
$role.Description = 'Permissions for Veeam Direct Restore to Microsoft Azure'
$role.IsCustom = $true
$permissions = @(
'Microsoft.Storage/storageAccounts/listkeys/action',
'Microsoft.Storage/storageAccounts/read',
'Microsoft.Network/locations/checkDnsNameAvailability/read',
'Microsoft.Network/virtualNetworks/read',
'Microsoft.Network/virtualNetworks/subnets/join/action',
'Microsoft.Network/publicIPAddresses/read',
'Microsoft.Network/publicIPAddresses/write',
'Microsoft.Network/publicIPAddresses/delete',
'Microsoft.Network/publicIPAddresses/join/action',
'Microsoft.Network/networkInterfaces/read',
'Microsoft.Network/networkInterfaces/write',
'Microsoft.Network/networkInterfaces/delete',
'Microsoft.Network/networkInterfaces/join/action',
'Microsoft.Network/networkSecurityGroups/read',
'Microsoft.Network/networkSecurityGroups/write',
'Microsoft.Network/networkSecurityGroups/delete',
'Microsoft.Network/networkSecurityGroups/join/action',
'Microsoft.Compute/locations/vmSizes/read',
'Microsoft.Compute/locations/usages/read',
'Microsoft.Compute/virtualMachines/read',
'Microsoft.Compute/virtualMachines/write',
'Microsoft.Compute/virtualMachines/delete',
'Microsoft.Compute/virtualMachines/start/action',
'Microsoft.Compute/virtualMachines/deallocate/action',
'Microsoft.Compute/virtualMachines/instanceView/read',
'Microsoft.Compute/virtualMachines/extensions/read',
'Microsoft.Compute/virtualMachines/extensions/write',
'Microsoft.Resources/checkResourceName/action',
'Microsoft.Resources/subscriptions/resourceGroups/read',
'Microsoft.Resources/subscriptions/resourceGroups/write',
'Microsoft.Resources/subscriptions/locations/read'
)
$role.Actions = $permissions
$role.NotActions = (Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor').NotActions
$subs = '/subscriptions/00000000-0000-0000-0000-000000000000'
$role.AssignableScopes = $subs
New-AzureRmRoleDefinition -Role $role

2. Add a user with the newly created custom role to Veeam Backup and Replication

Once the role and user have been created, they need to be added to Veeam Backup and Replication using the following method. This role cannot be added through the User Interface. 
a. Start Windows command line (CMD.exe or PowerShell.exe) with Administrative privileges
b. Navigate to Veeam Backup installation folder (by default: C:\Program Files\Veeam\Backup and Replication\) and then to “Backup” subfolder, so the full path should look like: "C:\Program Files\Veeam\Backup and Replication\Backup":
cd C:\Program Files\Veeam\Backup and Replication\Backup
c. Type following command: Veeam.backup.manager.exe REGISTERAZUREACCOUNT. The account is now ready for use.

More information

For Veeam 9.5 Update 4 and later, please refer to the following document: https://helpcenter.veeam.com/docs/backup/vsphere/azure_custom_role.html?ver=95u4
KB ID:
2702
Product:
Veeam Backup & Replication
Version:
9.5.0.x
Published:
2018-08-09
Last Modified:
2020-08-13
Please rate how helpful this article was to you:
5 out of 5 based on 1 ratings
Thank you for helping us improve!
An error occurred during voting. Please try again later.

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

Knowledge base content request
By submitting, you agree that your personal data will be managed by Veeam in accordance with the Privacy Policy.
Your report was sent to the responsible team. Our representative will contact you by email you provided.
We're working on it please try again later