Create Recovery Services vault |
Backup Contributor |
Resource group containing the vault |
|
Enable backup of Azure VMs |
Backup Operator |
Resource group containing the vault |
|
|
Virtual Machine Contributor |
VM resource |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read |
Enable backup of Azure VMs (from VM blade) |
Backup Operator |
Resource group containing the vault |
|
|
Backup Operator |
Resource group containing the virtual machine |
|
|
Virtual Machine Contributor |
VM resource |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/instanceView/read |
On-demand backup of VM |
Backup Operator |
Recovery Services vault |
|
Restore VM |
Backup Operator |
Recovery Services vault |
|
|
Contributor |
Resource group in which VM will be deployed |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Resources/subscriptions/resourceGroups/write Microsoft.DomainRegistration/domains/write (required only for classic VM restore and not required for managed VMs), Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action |
|
Virtual Machine Contributor |
Source VM that got backed up |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read |
|
Storage Account Contributor |
Storage account resource where disks are going to be restored |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/listkeys/action |
Restore unmanaged disks VM backup |
Backup Operator |
Recovery Services vault |
|
|
Virtual Machine Contributor |
Source VM that got backed up |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read |
|
Storage Account Contributor |
Storage account resource where disks are going to be restored |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/listkeys/action |
Restore managed disks from VM backup |
Backup Operator |
Recovery Services vault |
|
|
Virtual Machine Contributor |
Source VM that got backed up |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read |
|
Storage Account Contributor |
Temporary Storage account selected as part of restore to hold data from vault before converting them to managed disks |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/listkeys/action |
|
Contributor |
Resource group to which managed disk(s) will be restored |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Resources/subscriptions/resourceGroups/write |
Restore individual files from VM backup |
Backup Operator |
Recovery Services vault |
|
|
Virtual Machine Contributor |
Source VM that got backed up |
Alternatively, instead of a built-in-role, you can consider a custom role which has the following permissions: Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read |
Cross region restore |
Backup Operator |
Subscription of the recovery Services vault |
This is in addition of the restore permissions mentioned above. Specifically for CRR, instead of a built-in-role, you can consider a custom role which has the following permissions: "Microsoft.RecoveryServices/locations/backupAadProperties/read" "Microsoft.RecoveryServices/locations/backupCrrJobs/action" "Microsoft.RecoveryServices/locations/backupCrrJob/action" "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action" "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read" "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read" |
Create backup policy for Azure VM backup |
Backup Contributor |
Recovery Services vault |
|
Modify backup policy of Azure VM backup |
Backup Contributor |
Recovery Services vault |
|
Delete backup policy of Azure VM backup |
Backup Contributor |
Recovery Services vault |
|
Stop backup (with retain data or delete data) on VM backup |
Backup Contributor |
Recovery Services vault |
|
Register on-premises Windows Server/client/SCDPM or Azure Backup Server |
Backup Operator |
Recovery Services vault |
|
Delete registered on-premises Windows Server/client/SCDPM or Azure Backup Server |
Backup Contributor |
Recovery Services vault |
|