Direct Restore to Microsoft Azure | VeeamPN software-defined networking
Post Reply
rccl_ecain
Influencer
Posts: 12
Liked: 14 times
Joined: Jan 06, 2015 10:46 pm
Full Name: Ethan Cain
Location: Miramr, FL
Contact:

What account "Built-in role" for Azure Direct Restore

Post by rccl_ecain » Mar 09, 2017 10:42 pm 1 person likes this post

Trying to do anything with Azure restore, the account added fine, but we get what looks like a permissions error.

Image

Now, the account is a Contributor, which specifically has ALL action access except for Role delete/create.

My question is, what is the most locked down ROLE the user can be assigned for restore to Azure to still work, and does anyone have an idea as to why I'm getting a permission error like this when the account can definitely run that command?
Retired 'Cloud Admiral'. Might actually be on a ship.

edweb3
Lurker
Posts: 2
Liked: never
Joined: Apr 28, 2014 7:14 pm
Full Name: Edgar Santiago Perez Pinzon
Contact:

Re: What account "Built-in role" for Azure Direct Restore

Post by edweb3 » Mar 09, 2017 10:45 pm

Hey Dude, I am having this same issue on my site!!! please let us know if you find out what type of azure account you need. (currently I have: Your account 'xxxxxx' has been assigned the role 'Contributor' (type BuiltInRole) and has access to scope '/subscriptions/yyyyyyyyyyyyy

I have not been able to find the specific account requirements in the manuals.

Mike Resseler
Veeam Software
Posts: 4987
Liked: 525 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: What account "Built-in role" for Azure Direct Restore

Post by Mike Resseler » Mar 10, 2017 6:29 am

Hi Guys,

I am not aware of the exact permissions but when you add an Azure Proxy, you basically are going to create a VM so you need to have that right to start with.

I assume you both are using the resource manager model and not the classic anymore?

v.Eremin
Veeam Software
Posts: 15227
Liked: 1146 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: What account "Built-in role" for Azure Direct Restore

Post by v.Eremin » Mar 10, 2017 11:54 am

So, you're using Resource Manager model, based on the screenshot ("Resource Group" node). If you use the Resource Manager deployment model, you can add only Microsoft Accounts that have the Service Administrator role. This seems to be the issue here. Thanks.

rccl_ecain
Influencer
Posts: 12
Liked: 14 times
Joined: Jan 06, 2015 10:46 pm
Full Name: Ethan Cain
Location: Miramr, FL
Contact:

Re: What account "Built-in role" for Azure Direct Restore

Post by rccl_ecain » Mar 10, 2017 6:58 pm

There is no Built in Role that has that name: https://docs.microsoft.com/en-us/azure/ ... t-in-roles

The only ADMIN would be the root account for the entire azure infrastructure, which unless you are using it for testing, why would you add your root account credentials? Can anyone verify that the specific command shown is one that cannot be used by a Contributor?

Reading through the documentation, it doesn't cover much on the prep for the Azure end of things (like it SHOULD). This isn't a small infrastructure that we want to move to azure, like it seems to be with most users here. In our organization, we can't just give root access to everything.
Retired 'Cloud Admiral'. Might actually be on a ship.

rccl_ecain
Influencer
Posts: 12
Liked: 14 times
Joined: Jan 06, 2015 10:46 pm
Full Name: Ethan Cain
Location: Miramr, FL
Contact:

Re: What account "Built-in role" for Azure Direct Restore

Post by rccl_ecain » Mar 10, 2017 7:23 pm

FYI.

Opening a ticket for this. As I can get it to work, with the same account, via Powershell and the AzureRM.Resources module. I also got this to work on another (free) account where I was the literal, one and only admin. But I have proven that the RestAPI query is not working (I assume rest as it returns a 403 error...).
Retired 'Cloud Admiral'. Might actually be on a ship.

rccl_ecain
Influencer
Posts: 12
Liked: 14 times
Joined: Jan 06, 2015 10:46 pm
Full Name: Ethan Cain
Location: Miramr, FL
Contact:

Re: What account "Built-in role" for Azure Direct Restore

Post by rccl_ecain » Mar 10, 2017 8:58 pm

UPDATE!

So, after looking around, I DID find the "service administrator" selection.

Image

It looks like THIS link has this specific role info: https://docs.microsoft.com/en-us/azure/ ... dmin-roles

NOT these settings...

Image

Sorry. It's just a little confusing. Maybe a KB, or an update of the documentation to specify the permissions settings a little more clearly would help.
Retired 'Cloud Admiral'. Might actually be on a ship.

Mike Resseler
Veeam Software
Posts: 4987
Liked: 525 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: What account "Built-in role" for Azure Direct Restore

Post by Mike Resseler » Mar 13, 2017 6:55 am

Ethan,

I am a bit confused now (Monday, need coffee I guess ;-)) Are you saying we should add this to our documentation? (Sorry if I understand it wrongly...)

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest