Challenge
Microsoft Azure has a number of built-in roles with predefined permissions. If you prefer to set up a custom role for Veeam Integration, you can use Azure PowerShell method to create one.
Solution
Setting up a custom role for Veeam Backup & Replication consists of two steps:
NOTE: Please be informed of a possible vulnerability before proceeding futher.
1. Creating a custom role on Microsoft Azure
You can specify the minimum permissions set using the following script:
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new() $role.Name = 'Veeam Restore Operator' $role.Description = 'Permissions for Veeam Direct Restore to Microsoft Azure' $role.IsCustom = $true $permissions = @( 'Microsoft.Storage/storageAccounts/listkeys/action', 'Microsoft.Storage/storageAccounts/read', 'Microsoft.Network/locations/checkDnsNameAvailability/read', 'Microsoft.Network/virtualNetworks/read', 'Microsoft.Network/virtualNetworks/subnets/join/action', 'Microsoft.Network/publicIPAddresses/read', 'Microsoft.Network/publicIPAddresses/write', 'Microsoft.Network/publicIPAddresses/delete', 'Microsoft.Network/publicIPAddresses/join/action', 'Microsoft.Network/networkInterfaces/read', 'Microsoft.Network/networkInterfaces/write', 'Microsoft.Network/networkInterfaces/delete', 'Microsoft.Network/networkInterfaces/join/action', 'Microsoft.Network/networkSecurityGroups/read', 'Microsoft.Network/networkSecurityGroups/write', 'Microsoft.Network/networkSecurityGroups/delete', 'Microsoft.Network/networkSecurityGroups/join/action', 'Microsoft.Compute/locations/vmSizes/read', 'Microsoft.Compute/locations/usages/read', 'Microsoft.Compute/virtualMachines/read', 'Microsoft.Compute/virtualMachines/write', 'Microsoft.Compute/virtualMachines/delete', 'Microsoft.Compute/virtualMachines/start/action', 'Microsoft.Compute/virtualMachines/deallocate/action', 'Microsoft.Compute/virtualMachines/instanceView/read', 'Microsoft.Compute/virtualMachines/extensions/read', 'Microsoft.Compute/virtualMachines/extensions/write', 'Microsoft.Resources/checkResourceName/action', 'Microsoft.Resources/subscriptions/resourceGroups/read', 'Microsoft.Resources/subscriptions/resourceGroups/write', 'Microsoft.Resources/subscriptions/locations/read' ) $role.Actions = $permissions $role.NotActions = (Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor').NotActions $subs = '/subscriptions/00000000-0000-0000-0000-000000000000' $role.AssignableScopes = $subs New-AzureRmRoleDefinition -Role $role
2. Add a user with the newly created custom role to Veeam Backup and Replication
Once the role and user have been created, they need to be added to Veeam Backup and Replication using the following method. This role cannot be added through the User Interface.a. Start Windows command line (CMD.exe or PowerShell.exe) with Administrative privileges
b. Navigate to Veeam Backup installation folder (by default: C:\Program Files\Veeam\Backup and Replication\) and then to “Backup” subfolder, so the full path should look like: "C:\Program Files\Veeam\Backup and Replication\Backup":
b. Navigate to Veeam Backup installation folder (by default: C:\Program Files\Veeam\Backup and Replication\) and then to “Backup” subfolder, so the full path should look like: "C:\Program Files\Veeam\Backup and Replication\Backup":
cd C:\Program Files\Veeam\Backup and Replication\Backupc. Type following command: Veeam.backup.manager.exe REGISTERAZUREACCOUNT. The account is now ready for use.
More Information
For Veeam 9.5 Update 4 and later, please refer to the following document: https://helpcenter.veeam.com/docs/backup/vsphere/azure_custom_role.html?ver=95u4