Agentless, cloud-native backup for Microsoft Azure
Post Reply
agrob
Expert
Posts: 217
Liked: 23 times
Joined: Sep 05, 2011 1:31 pm
Full Name: Andre
Contact:

VBA unable to add initial Service Account

Post by agrob »

Good Day

Have deployed VBA. Logged in with the local Administrator Account specified during deployment. then started the wizard to add Service Account (create automaticaly). In the step "Logon to Microsoft Azure" i opened the link, entered the Verfiation Code, then i got the message "You are authenticated to Microsoft Azure as admin@domain.com". when i click next, i get the following error:

Unexpected error occurred Check the service logs for additional details Trace ID: 713a5f62-2933-4df0-892d-772be5151988

Account i logged in is global Admin, so it should have enough rights to register the Service Account (or Application). Any Idea what the problem exactely is? I'll try to crate the App / SA manually, but would be interessting to know how to fix this.

Thanks

nielsengelen
Veeam Software
Posts: 3418
Liked: 686 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: VBA unable to add initial Service Account

Post by nielsengelen »

This is hard to tell from the error so if the issue persist please contact support for help so they can analyse the logs. If you do contact support, can u let us know the support case ID?
https://foonet.be

agrob
Expert
Posts: 217
Liked: 23 times
Joined: Sep 05, 2011 1:31 pm
Full Name: Andre
Contact:

Re: VBA unable to add initial Service Account

Post by agrob »

Thanks Niels, have opened a case 04183184. I guess it would be good to know what the issue is. otherwise i'll crate the app/accounts manually. but lets wait what support says

dalbertson
Veeam Software
Posts: 263
Liked: 65 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: VBA unable to add initial Service Account

Post by dalbertson »

@agrob Did you upload logs to the case?

agrob
Expert
Posts: 217
Liked: 23 times
Joined: Sep 05, 2011 1:31 pm
Full Name: Andre
Contact:

Re: VBA unable to add initial Service Account

Post by agrob »

@dalbertson: i did not, was not aware where to collect the files... but i have found it now. i'll upload the logs in the next hour

dalbertson
Veeam Software
Posts: 263
Liked: 65 times
Joined: Jul 21, 2015 12:38 pm
Full Name: Dustin Albertson
Contact:

Re: VBA unable to add initial Service Account

Post by dalbertson »

awesome....thank you

agrob
Expert
Posts: 217
Liked: 23 times
Joined: Sep 05, 2011 1:31 pm
Full Name: Andre
Contact:

Re: VBA unable to add initial Service Account

Post by agrob »

logs are uploaded, thanks

agrob
Expert
Posts: 217
Liked: 23 times
Joined: Sep 05, 2011 1:31 pm
Full Name: Andre
Contact:

Re: VBA unable to add initial Service Account

Post by agrob »

Got the following Feedback from Support:

*************
I've discussed this case with our Q&A, and we have figured out that the problem might be related to the subscription "Zugriff auf Azure Active Directory AzureCloud" (Access to Azure Active Directory). It looks like this subscription was created automatically to provide synchronization of user accounts between Office 365 and Azure Active Directory.

The one property of this subscription may cause an issue as you have:
You cannot create any other Azure resources except those related to Azure AD; these are Directory, ACS and MFA.

It looks like its sole purpose was to serve as a bridge between O365 and Azure AD, it was very restricted.
The error message in Veeam Backup for Microsoft Azure appears when we try to list RBAC roles for this subscription ("Zugriff auf Azure Active Directory AzureCloud").

Here, somebody is getting the same error in the Azure portal when opening Access control (IAM) page for his "Access to Azure Active Directory".
https://stackoverflow.com/questions/614 ... le-unknown

This leads Q&A to the conclusion that this subscription restricts access to information about RBAC roles (maybe Microsoft.Authorization provider is not registered there).

As an isolation test, please try to sign in with a user who doesn't have access to this subscription ("Zugriff auf Azure Active Directory AzureCloud") when creating an Azure account in Veeam Backup for Microsoft Azure.
*************

what i did, is to create a new Azure AD user. Added the user as owner to the Subscription where VBA is deployed. Also granted user administrator role. now i was able to finish the Service Account Wizard.
The Wizard created an App Registration named "veeambackup". this app was also added as "Contributor" to the Subscription where VBA is deployed. I have two Questions about it:
- Is it really neccesary that the Service Prinicipal needs "Contributor" Rights?
- when i want to backup vms from other subscriptions, what is the minimum right i need to give to the Service Principal on those subscritptions? is it "Microsoft.Authorization/*/Write" Permissions and if yes, why does the wizard grant contributor rights during SA Creation?

thanks
André

Mike Resseler
Product Manager
Posts: 6122
Liked: 712 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: VBA unable to add initial Service Account

Post by Mike Resseler »

Hi André,

The rights that we are creating are indeed necessary, otherwise it will be impossible to take snapshots, and those are the basis of the (obviously) snapshots and backups. Why not read only? Because you are writing things.

Now, what rights are necessary: we have written them out here: https://www.veeam.com/kb3154

agrob
Expert
Posts: 217
Liked: 23 times
Joined: Sep 05, 2011 1:31 pm
Full Name: Andre
Contact:

Re: VBA unable to add initial Service Account

Post by agrob »

Hi Mike

Thanks for the feedback and the link provided. I was just curious if there are more restrictive rights than contributor rights. Contributor has per default quite many rights.

@All: Support confirmend that this is a know issue about the Service Account creation and they are working on a fix for it. In the meantime, the workarround is described above.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest