Challenge
By default, Microsoft Azure has limited amount of built-in roles with predefined permissions. If you prefer to set up a custom role specifically for Veeam integration, you can use the Azure PowerShell method to create one.Solution
Setting up a custom role for Veeam Backup & Replication consists of two steps:-
Creating a custom role on Microsoft Azure
You can specify minimum permissions set, using the following script:
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new() $role.Name = 'Veeam Restore Operator' $role.Description = 'Permissions for Veeam Direct Restore to Microsoft Azure' $role.IsCustom = $true $permissions = @(
'Microsoft.Storage/storageAccounts/listkeys/action', 'Microsoft.Storage/storageAccounts/read', 'Microsoft.Network/locations/checkDnsNameAvailability/read', 'Microsoft.Network/virtualNetworks/read', 'Microsoft.Network/virtualNetworks/subnets/join/action', 'Microsoft.Network/publicIPAddresses/read', 'Microsoft.Network/publicIPAddresses/write', 'Microsoft.Network/publicIPAddresses/delete', 'Microsoft.Network/publicIPAddresses/join/action', 'Microsoft.Network/networkInterfaces/read', 'Microsoft.Network/networkInterfaces/write', 'Microsoft.Network/networkInterfaces/delete', 'Microsoft.Network/networkInterfaces/join/action', 'Microsoft.Network/networkSecurityGroups/read', 'Microsoft.Network/networkSecurityGroups/write', 'Microsoft.Network/networkSecurityGroups/delete', 'Microsoft.Network/networkSecurityGroups/join/action', 'Microsoft.Compute/locations/vmSizes/read', 'Microsoft.Compute/locations/usages/read', 'Microsoft.Compute/virtualMachines/read', 'Microsoft.Compute/virtualMachines/write', 'Microsoft.Compute/virtualMachines/delete', 'Microsoft.Compute/virtualMachines/start/action', 'Microsoft.Compute/virtualMachines/deallocate/action', 'Microsoft.Compute/virtualMachines/instanceView/read', 'Microsoft.Compute/virtualMachines/extensions/read', 'Microsoft.Compute/virtualMachines/extensions/write', 'Microsoft.Resources/checkResourceName/action', 'Microsoft.Resources/subscriptions/resourceGroups/read', 'Microsoft.Resources/subscriptions/resourceGroups/write', 'Microsoft.Resources/subscriptions/locations/read'
) $role.Actions = $permissions $role.NotActions = (Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor').NotActions $subs = '/subscriptions/00000000-0000-0000-0000-000000000000' $role.AssignableScopes = $subs New-AzureRmRoleDefinition -Role $role
-
Add the user with custom role to Veeam Backup and replication software.
Once the role has been created you should add it to Veeam Backup and Replication configuration in a custom way, as if you try to add it through User Interface you’ll get an error.
- Start Windows command line with Administrative privileges
- Navigate to Veeam Backup installation folder (by default: C:\Program Files\Veeam\Backup and Replication\) and then to “Backup” subfolder, so the full path should look like: C:\Program Files\Veeam\Backup and Replication\Backup
- Type following command:
Veeam.backup.manager.exe REGISTERAZUREACCOUNT <username> <password>