1-800-691-1991 | 9am - 8pm ET
EN

Required Roles and Permissions for Veeam Backup for Microsoft Azure

KB ID: 3154
Product: Veeam Backup for Microsoft Azure | 2.0
Published: 2020-04-28
Last Modified: 2021-06-04
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Policy.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Challenge

You want to create manual permissions for your Azure account (service account) for Veeam Backup for Microsoft Azure or for a repository account. The Azure or service account is responsible for:
  • Synchronization of virtual machines and disks with the Veeam Backup for Microsoft Azure database.
  • Synchronization of subscriptions and storage accounts.
  • Accessing virtual machines and its disks as a source of backup.
  • Creating and deleting snapshots of virtual disks during backup.
The repository account can be used to store data in a different Azure Active Directory.

Solution

Azure Service Account

Go to the Azure portal and add permissions to your Azure account. The account for the default subscription will need at least the following permissions:

Contributor
For other subscriptions that are connected to your account, add the following permissions:
Microsoft.Authorization/roleAssignments/read
Microsoft.Commerce/RateCard/read
Microsoft.DevTestLab/Schedules/write
Microsoft.Compute/disks/beginGetAccess/action
Microsoft.Compute/disks/delete
Microsoft.Compute/disks/endGetAccess/action
Microsoft.Compute/disks/read
Microsoft.Compute/disks/write
Microsoft.Compute/snapshots/beginGetAccess/action
Microsoft.Compute/snapshots/delete
Microsoft.Compute/snapshots/endGetAccess/action
Microsoft.Compute/snapshots/read
Microsoft.Compute/snapshots/write
Microsoft.Compute/virtualMachines/deallocate/action
Microsoft.Compute/virtualMachines/delete
Microsoft.Compute/virtualMachines/extensions/read
Microsoft.Compute/virtualMachines/extensions/write
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/runCommand/action
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/write
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/publicIPAddresses/join/action
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/publicIPAddresses/write
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/virtualNetworks/write
Microsoft.Resources/subscriptions/resourceGroups/moveResources/action
Microsoft.Resources/subscriptions/resourceGroups/delete
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListKeys/action
Microsoft.ServiceBus/namespaces/queues/authorizationRules/read
Microsoft.ServiceBus/namespaces/queues/authorizationRules/write
Microsoft.ServiceBus/namespaces/queues/delete
Microsoft.ServiceBus/namespaces/queues/read
Microsoft.ServiceBus/namespaces/queues/write
Microsoft.ServiceBus/namespaces/read
Microsoft.ServiceBus/namespaces/write
Microsoft.ServiceBus/register/action
Microsoft.Sql/locations/*
Microsoft.Sql/managedInstances/databases/delete
Microsoft.Sql/managedInstances/databases/read
Microsoft.Sql/managedInstances/databases/write
Microsoft.Sql/managedInstances/encryptionProtector/read
Microsoft.Sql/managedInstances/read
Microsoft.Sql/servers/databases/azureAsyncOperation/read
Microsoft.Sql/servers/databases/read
Microsoft.Sql/servers/databases/transparentDataEncryption/read
Microsoft.Sql/servers/databases/usages/read
Microsoft.Sql/servers/databases/write
Microsoft.Sql/servers/elasticPools/read
Microsoft.Sql/servers/read
Microsoft.Storage/storageAccounts/blobServices/read
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/managementPolicies/write
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write
Repository Account

Go to the Azure portal and add permissions to your storage account. You will need at least the following permissions:

Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/blobServices/read

More information

For more information, see the Managing Accounts section of the Veeam Backup for Microsoft Azure User Guide.
Click here to send feedback regarding this KB, or suggest content for a new KB.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Policy.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you for your interest in Veeam products!
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.