Granular permissions for Microsoft Azure user

KB ID: 2702
Product: Veeam Backup & Replication
Version: 9.5
Published:
Last Modified: 2018-08-13

Challenge

Microsoft Azure has a number of built-in roles with predefined permissions. If you prefer to set up a custom role for Veeam Integration, you can use Azure PowerShell method to create one.

Solution

Setting up a custom role for Veeam Backup & Replication consists of two steps:

  1. Creating a custom role on Microsoft Azure

You can specify minimum permissions set, using the following script:
 
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()
$role.Name = 'Veeam Restore Operator'
$role.Description = 'Permissions for Veeam Direct Restore to Microsoft Azure'
$role.IsCustom = $true
 
$permissions = @(
'Microsoft.Storage/storageAccounts/listkeys/action',
'Microsoft.Storage/storageAccounts/read',
'Microsoft.Network/locations/checkDnsNameAvailability/read',
'Microsoft.Network/virtualNetworks/read',
'Microsoft.Network/virtualNetworks/subnets/join/action',
'Microsoft.Network/publicIPAddresses/read',
'Microsoft.Network/publicIPAddresses/write',
'Microsoft.Network/publicIPAddresses/delete',
'Microsoft.Network/publicIPAddresses/join/action',
'Microsoft.Network/networkInterfaces/read',
'Microsoft.Network/networkInterfaces/write',
'Microsoft.Network/networkInterfaces/delete',
'Microsoft.Network/networkInterfaces/join/action',
'Microsoft.Network/networkSecurityGroups/read',
'Microsoft.Network/networkSecurityGroups/write',
'Microsoft.Network/networkSecurityGroups/delete',
'Microsoft.Network/networkSecurityGroups/join/action',
'Microsoft.Compute/locations/vmSizes/read',
'Microsoft.Compute/locations/usages/read',
'Microsoft.Compute/virtualMachines/read',
'Microsoft.Compute/virtualMachines/write',
'Microsoft.Compute/virtualMachines/delete',
'Microsoft.Compute/virtualMachines/start/action',
'Microsoft.Compute/virtualMachines/deallocate/action',
'Microsoft.Compute/virtualMachines/instanceView/read',
'Microsoft.Compute/virtualMachines/extensions/read',
'Microsoft.Compute/virtualMachines/extensions/write',
'Microsoft.Resources/checkResourceName/action',
'Microsoft.Resources/subscriptions/resourceGroups/read',
'Microsoft.Resources/subscriptions/resourceGroups/write',
'Microsoft.Resources/subscriptions/locations/read'
)


$role.Actions = $permissions
$role.NotActions = (Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor').NotActions
$subs = '/subscriptions/00000000-0000-0000-0000-000000000000'
$role.AssignableScopes = $subs
New-AzureRmRoleDefinition -Role $role
 
  1. Add a user with the newly created custom role to Veeam Backup and Replication

Once the role and user have been created, you must add it to Veeam Backup and Replication using the following method. This role cannot be added through the User Interface. 
  1. Start Windows command line (CMD.exe or PowerShell.exe) with Administrative privileges
  2. Navigate to Veeam Backup installation folder (by default: C:\Program Files\Veeam\Backup and Replication\) and then to “Backup” subfolder, so the full path should look like: "C:\Program Files\Veeam\Backup and Replication\Backup":
    cd C:\Program Files\Veeam\Backup and Replication\Backup
  3. Type following command:
    Veeam.backup.manager.exe REGISTERAZUREACCOUNT <username> <password>
The account is now ready for use.

Rate the quality of this KB article: 
4.8 out of 5 based on 3 ratings

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Request new content

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Orphus system