1-800-691-1991 | 9am - 8pm ET
EN

Required Roles and Permissions for Veeam Backup for Microsoft Azure

KB ID: 3154
Product: Veeam Backup for Microsoft Azure 2.0
Published: 2020-04-28
Last Modified: 2021-06-04

Challenge

You want to create manual permissions for your Azure account (service account) for Veeam Backup for Microsoft Azure or for a repository account. The Azure or service account is responsible for:
  • Synchronization of virtual machines and disks with the Veeam Backup for Microsoft Azure database.
  • Synchronization of subscriptions and storage accounts.
  • Accessing virtual machines and its disks as a source of backup.
  • Creating and deleting snapshots of virtual disks during backup.
The repository account can be used to store data in a different Azure Active Directory.

Solution

Azure Service Account

Go to the Azure portal and add permissions to your Azure account. The account for the default subscription will need at least the following permissions:

Contributor
For other subscriptions that are connected to your account, add the following permissions:
Microsoft.Authorization/roleAssignments/read
Microsoft.Commerce/RateCard/read
Microsoft.DevTestLab/Schedules/write
Microsoft.Compute/disks/beginGetAccess/action
Microsoft.Compute/disks/delete
Microsoft.Compute/disks/endGetAccess/action
Microsoft.Compute/disks/read
Microsoft.Compute/disks/write
Microsoft.Compute/snapshots/beginGetAccess/action
Microsoft.Compute/snapshots/delete
Microsoft.Compute/snapshots/endGetAccess/action
Microsoft.Compute/snapshots/read
Microsoft.Compute/snapshots/write
Microsoft.Compute/virtualMachines/deallocate/action
Microsoft.Compute/virtualMachines/delete
Microsoft.Compute/virtualMachines/extensions/read
Microsoft.Compute/virtualMachines/extensions/write
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/runCommand/action
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/write
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/publicIPAddresses/join/action
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/publicIPAddresses/write
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/virtualNetworks/write
Microsoft.Resources/subscriptions/resourceGroups/moveResources/action
Microsoft.Resources/subscriptions/resourceGroups/delete
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListKeys/action
Microsoft.ServiceBus/namespaces/queues/authorizationRules/read
Microsoft.ServiceBus/namespaces/queues/authorizationRules/write
Microsoft.ServiceBus/namespaces/queues/delete
Microsoft.ServiceBus/namespaces/queues/read
Microsoft.ServiceBus/namespaces/queues/write
Microsoft.ServiceBus/namespaces/read
Microsoft.ServiceBus/namespaces/write
Microsoft.ServiceBus/register/action
Microsoft.Sql/locations/*
Microsoft.Sql/managedInstances/databases/delete
Microsoft.Sql/managedInstances/databases/read
Microsoft.Sql/managedInstances/databases/write
Microsoft.Sql/managedInstances/encryptionProtector/read
Microsoft.Sql/managedInstances/read
Microsoft.Sql/servers/databases/azureAsyncOperation/read
Microsoft.Sql/servers/databases/read
Microsoft.Sql/servers/databases/transparentDataEncryption/read
Microsoft.Sql/servers/databases/usages/read
Microsoft.Sql/servers/databases/write
Microsoft.Sql/servers/elasticPools/read
Microsoft.Sql/servers/read
Microsoft.Storage/storageAccounts/blobServices/read
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/managementPolicies/write
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write
Repository Account

Go to the Azure portal and add permissions to your storage account. You will need at least the following permissions:

Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/blobServices/read

More information

For more information, see the Managing Accounts section of the Veeam Backup for Microsoft Azure User Guide.
KB ID: 3154
Product: Veeam Backup for Microsoft Azure 2.0
Published: 2020-04-28
Last Modified: 2021-06-04

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Knowledge base content request
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Policy.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

ty icon

Thank you!

We have received your request and our team will reach out to you shortly.

OK

error icon

Oops! Something went wrong.

Please go back try again later.