https://login.veeam.com/en/oauth?client_id=nXojRrypJ8&redirect_uri=https%3A%2F%2Fwww.veeam.com%2Fservices%2Fauthentication%2Fredirect_url&response_type=code&scope=profile&state=eyJmaW5hbFJlZGlyZWN0TG9jYXRpb24iOiJodHRwczovL3d3dy52ZWVhbS5jb20va2IyNzAyIiwiaGFzaCI6Ijk4YWNiNmI2LTY5NzEtNDU0Yy05ZDgxLTAxZWY4NDgxYmE5NiJ9
Granular permissions for Microsoft Azure user
Challenge
Microsoft Azure has a number of built-in roles with predefined permissions. If you prefer to set up a custom role for Veeam Integration, you can use Azure PowerShell method to create one.
Solution
Setting up a custom role for Veeam Backup & Replication consists of two steps:
NOTE: Please be informed of a possible vulnerability before proceeding futher.
NOTE: Please be informed of a possible vulnerability before proceeding futher.
1. Creating a custom role on Microsoft Azure
You can specify the minimum permissions set using the following script:
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new() $role.Name = 'Veeam Restore Operator' $role.Description = 'Permissions for Veeam Direct Restore to Microsoft Azure' $role.IsCustom = $true $permissions = @( 'Microsoft.Storage/storageAccounts/listkeys/action', 'Microsoft.Storage/storageAccounts/read', 'Microsoft.Network/locations/checkDnsNameAvailability/read', 'Microsoft.Network/virtualNetworks/read', 'Microsoft.Network/virtualNetworks/subnets/join/action', 'Microsoft.Network/publicIPAddresses/read', 'Microsoft.Network/publicIPAddresses/write', 'Microsoft.Network/publicIPAddresses/delete', 'Microsoft.Network/publicIPAddresses/join/action', 'Microsoft.Network/networkInterfaces/read', 'Microsoft.Network/networkInterfaces/write', 'Microsoft.Network/networkInterfaces/delete', 'Microsoft.Network/networkInterfaces/join/action', 'Microsoft.Network/networkSecurityGroups/read', 'Microsoft.Network/networkSecurityGroups/write', 'Microsoft.Network/networkSecurityGroups/delete', 'Microsoft.Network/networkSecurityGroups/join/action', 'Microsoft.Compute/locations/vmSizes/read', 'Microsoft.Compute/locations/usages/read', 'Microsoft.Compute/virtualMachines/read', 'Microsoft.Compute/virtualMachines/write', 'Microsoft.Compute/virtualMachines/delete', 'Microsoft.Compute/virtualMachines/start/action', 'Microsoft.Compute/virtualMachines/deallocate/action', 'Microsoft.Compute/virtualMachines/instanceView/read', 'Microsoft.Compute/virtualMachines/extensions/read', 'Microsoft.Compute/virtualMachines/extensions/write', 'Microsoft.Resources/checkResourceName/action', 'Microsoft.Resources/subscriptions/resourceGroups/read', 'Microsoft.Resources/subscriptions/resourceGroups/write', 'Microsoft.Resources/subscriptions/locations/read' ) $role.Actions = $permissions $role.NotActions = (Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor').NotActions $subs = '/subscriptions/00000000-0000-0000-0000-000000000000' $role.AssignableScopes = $subs New-AzureRmRoleDefinition -Role $role
2. Add a user with the newly created custom role to Veeam Backup and Replication
Once the role and user have been created, they need to be added to Veeam Backup and Replication using the following method. This role cannot be added through the User Interface.a. Start Windows command line (CMD.exe or PowerShell.exe) with Administrative privileges
b. Navigate to Veeam Backup installation folder (by default: C:\Program Files\Veeam\Backup and Replication\) and then to “Backup” subfolder, so the full path should look like: "C:\Program Files\Veeam\Backup and Replication\Backup":
b. Navigate to Veeam Backup installation folder (by default: C:\Program Files\Veeam\Backup and Replication\) and then to “Backup” subfolder, so the full path should look like: "C:\Program Files\Veeam\Backup and Replication\Backup":
cd C:\Program Files\Veeam\Backup and Replication\Backupc. Type following command: Veeam.backup.manager.exe REGISTERAZUREACCOUNT. The account is now ready for use.
More information
For Veeam 9.5 Update 4 and later, please refer to the following document: https://helpcenter.veeam.com/docs/backup/vsphere/azure_custom_role.html?ver=95u4
KB ID:
2702
Product:
Veeam Backup & Replication
Version:
9.5.0.x
Published:
2018-08-09
Last Modified:
2020-08-13
Couldn't find what you were looking for?
Below you can submit an idea for a new knowledge base article.
Report a typo on this page:
Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!
Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!
Spelling error in text
Knowledge base content request
How can we assist you today?
How can we assist you today?
Happy Holidays!
Chat is offline now. Please fill out the form and we will call you back.
Technical
General and Licensing
Renewal
Sales
Partnership
Do you have an issue or need post-sales technical assistance?
*if you need help choosing the right product, please select "Sales" chat
Do you need guidance on the website, upgrade hints or help with your licenses/accounts?
Questions regarding your Veeam contract renewal? Contact us and learn how you can maximize your savings
Do you need additional license, pricing details, product information or have any other sales-related question?
Would you like to become our partner or do you need assistance as our existing partner?
Start chat
We apologize, but this chat is not available at the moment
Start chat
We apologize, but this chat is not available at the moment
Start chat
We apologize, but this chat is not available at the moment
Start chat
We apologize, but this chat is not available at the moment
Privacy Notice. By submitting, you agree that your personal data will be managed by Veeam in accordance with the Privacy Policy.
Back
Thank you for your request!
Veeam representative will get back to you shortly.
Stay up to date with Veeam product updates, latest news, and recent content.
By subscribing, you agree to receive communications about Veeam products, services and events. Your personal data will be managed by Veeam in accordance with the Privacy Policy. You can unsubscribe at any time.