Good Day
Have deployed VBA. Logged in with the local Administrator Account specified during deployment. then started the wizard to add Service Account (create automaticaly). In the step "Logon to Microsoft Azure" i opened the link, entered the Verfiation Code, then i got the message "You are authenticated to Microsoft Azure as admin@domain.com". when i click next, i get the following error:
Unexpected error occurred Check the service logs for additional details Trace ID: 713a5f62-2933-4df0-892d-772be5151988
Account i logged in is global Admin, so it should have enough rights to register the Service Account (or Application). Any Idea what the problem exactely is? I'll try to crate the App / SA manually, but would be interessting to know how to fix this.
Thanks
-
agrob
- Veteran
- Posts: 389
- Liked: 54 times
- Joined: Sep 05, 2011 1:31 pm
- Full Name: Andre
- Contact:
-
nielsengelen
- Product Manager
- Posts: 5796
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBA unable to add initial Service Account
This is hard to tell from the error so if the issue persist please contact support for help so they can analyse the logs. If you do contact support, can u let us know the support case ID?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
agrob
- Veteran
- Posts: 389
- Liked: 54 times
- Joined: Sep 05, 2011 1:31 pm
- Full Name: Andre
- Contact:
Re: VBA unable to add initial Service Account
Thanks Niels, have opened a case 04183184. I guess it would be good to know what the issue is. otherwise i'll crate the app/accounts manually. but lets wait what support says
-
dalbertson
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: VBA unable to add initial Service Account
@agrob Did you upload logs to the case?
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
-
agrob
- Veteran
- Posts: 389
- Liked: 54 times
- Joined: Sep 05, 2011 1:31 pm
- Full Name: Andre
- Contact:
Re: VBA unable to add initial Service Account
@dalbertson: i did not, was not aware where to collect the files... but i have found it now. i'll upload the logs in the next hour
-
dalbertson
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: VBA unable to add initial Service Account
awesome....thank you
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
-
agrob
- Veteran
- Posts: 389
- Liked: 54 times
- Joined: Sep 05, 2011 1:31 pm
- Full Name: Andre
- Contact:
Re: VBA unable to add initial Service Account
logs are uploaded, thanks
-
agrob
- Veteran
- Posts: 389
- Liked: 54 times
- Joined: Sep 05, 2011 1:31 pm
- Full Name: Andre
- Contact:
Re: VBA unable to add initial Service Account
Got the following Feedback from Support:
*************
I've discussed this case with our Q&A, and we have figured out that the problem might be related to the subscription "Zugriff auf Azure Active Directory AzureCloud" (Access to Azure Active Directory). It looks like this subscription was created automatically to provide synchronization of user accounts between Office 365 and Azure Active Directory.
The one property of this subscription may cause an issue as you have:
You cannot create any other Azure resources except those related to Azure AD; these are Directory, ACS and MFA.
It looks like its sole purpose was to serve as a bridge between O365 and Azure AD, it was very restricted.
The error message in Veeam Backup for Microsoft Azure appears when we try to list RBAC roles for this subscription ("Zugriff auf Azure Active Directory AzureCloud").
Here, somebody is getting the same error in the Azure portal when opening Access control (IAM) page for his "Access to Azure Active Directory".
https://stackoverflow.com/questions/614 ... le-unknown
This leads Q&A to the conclusion that this subscription restricts access to information about RBAC roles (maybe Microsoft.Authorization provider is not registered there).
As an isolation test, please try to sign in with a user who doesn't have access to this subscription ("Zugriff auf Azure Active Directory AzureCloud") when creating an Azure account in Veeam Backup for Microsoft Azure.
*************
what i did, is to create a new Azure AD user. Added the user as owner to the Subscription where VBA is deployed. Also granted user administrator role. now i was able to finish the Service Account Wizard.
The Wizard created an App Registration named "veeambackup". this app was also added as "Contributor" to the Subscription where VBA is deployed. I have two Questions about it:
- Is it really neccesary that the Service Prinicipal needs "Contributor" Rights?
- when i want to backup vms from other subscriptions, what is the minimum right i need to give to the Service Principal on those subscritptions? is it "Microsoft.Authorization/*/Write" Permissions and if yes, why does the wizard grant contributor rights during SA Creation?
thanks
André
*************
I've discussed this case with our Q&A, and we have figured out that the problem might be related to the subscription "Zugriff auf Azure Active Directory AzureCloud" (Access to Azure Active Directory). It looks like this subscription was created automatically to provide synchronization of user accounts between Office 365 and Azure Active Directory.
The one property of this subscription may cause an issue as you have:
You cannot create any other Azure resources except those related to Azure AD; these are Directory, ACS and MFA.
It looks like its sole purpose was to serve as a bridge between O365 and Azure AD, it was very restricted.
The error message in Veeam Backup for Microsoft Azure appears when we try to list RBAC roles for this subscription ("Zugriff auf Azure Active Directory AzureCloud").
Here, somebody is getting the same error in the Azure portal when opening Access control (IAM) page for his "Access to Azure Active Directory".
https://stackoverflow.com/questions/614 ... le-unknown
This leads Q&A to the conclusion that this subscription restricts access to information about RBAC roles (maybe Microsoft.Authorization provider is not registered there).
As an isolation test, please try to sign in with a user who doesn't have access to this subscription ("Zugriff auf Azure Active Directory AzureCloud") when creating an Azure account in Veeam Backup for Microsoft Azure.
*************
what i did, is to create a new Azure AD user. Added the user as owner to the Subscription where VBA is deployed. Also granted user administrator role. now i was able to finish the Service Account Wizard.
The Wizard created an App Registration named "veeambackup". this app was also added as "Contributor" to the Subscription where VBA is deployed. I have two Questions about it:
- Is it really neccesary that the Service Prinicipal needs "Contributor" Rights?
- when i want to backup vms from other subscriptions, what is the minimum right i need to give to the Service Principal on those subscritptions? is it "Microsoft.Authorization/*/Write" Permissions and if yes, why does the wizard grant contributor rights during SA Creation?
thanks
André
-
Mike Resseler
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: VBA unable to add initial Service Account
Hi André,
The rights that we are creating are indeed necessary, otherwise it will be impossible to take snapshots, and those are the basis of the (obviously) snapshots and backups. Why not read only? Because you are writing things.
Now, what rights are necessary: we have written them out here: https://www.veeam.com/kb3154
The rights that we are creating are indeed necessary, otherwise it will be impossible to take snapshots, and those are the basis of the (obviously) snapshots and backups. Why not read only? Because you are writing things.
Now, what rights are necessary: we have written them out here: https://www.veeam.com/kb3154
-
agrob
- Veteran
- Posts: 389
- Liked: 54 times
- Joined: Sep 05, 2011 1:31 pm
- Full Name: Andre
- Contact:
Re: VBA unable to add initial Service Account
Hi Mike
Thanks for the feedback and the link provided. I was just curious if there are more restrictive rights than contributor rights. Contributor has per default quite many rights.
@All: Support confirmend that this is a know issue about the Service Account creation and they are working on a fix for it. In the meantime, the workarround is described above.
Thanks for the feedback and the link provided. I was just curious if there are more restrictive rights than contributor rights. Contributor has per default quite many rights.
@All: Support confirmend that this is a know issue about the Service Account creation and they are working on a fix for it. In the meantime, the workarround is described above.
-
hyaman
- Expert
- Posts: 195
- Liked: 33 times
- Joined: Mar 06, 2015 1:01 am
- Full Name: Hal Yaman
- Location: Sydney
- Contact:
Re: VBA unable to add initial Service Account
Hi All,
Had the same issue, and to solve this was to browse to the AD - App Registration - Veeam App - API Permission and then press on "Grant Admin Consent"
HY.
Had the same issue, and to solve this was to browse to the AD - App Registration - Veeam App - API Permission and then press on "Grant Admin Consent"
HY.
Who is online
Users browsing this forum: No registered users and 6 guests