What account "Built-in role" for Azure Direct Restore

Direct Restore to Microsoft Azure | Free, secure file copy for Microsoft Azure VMs

What account "Built-in role" for Azure Direct Restore

Veeam Logoby rccl_ecain » Thu Mar 09, 2017 10:42 pm 1 person likes this post

Trying to do anything with Azure restore, the account added fine, but we get what looks like a permissions error.

Image

Now, the account is a Contributor, which specifically has ALL action access except for Role delete/create.

My question is, what is the most locked down ROLE the user can be assigned for restore to Azure to still work, and does anyone have an idea as to why I'm getting a permission error like this when the account can definitely run that command?
Retired 'Cloud Admiral'. Might actually be on a ship.
rccl_ecain
Influencer
 
Posts: 12
Liked: 14 times
Joined: Tue Jan 06, 2015 10:46 pm
Location: Miramr, FL
Full Name: Ethan Cain

Re: What account "Built-in role" for Azure Direct Restore

Veeam Logoby edweb3 » Thu Mar 09, 2017 10:45 pm

Hey Dude, I am having this same issue on my site!!! please let us know if you find out what type of azure account you need. (currently I have: Your account 'xxxxxx' has been assigned the role 'Contributor' (type BuiltInRole) and has access to scope '/subscriptions/yyyyyyyyyyyyy

I have not been able to find the specific account requirements in the manuals.
edweb3
Lurker
 
Posts: 1
Liked: never
Joined: Mon Apr 28, 2014 7:14 pm
Full Name: Edgar Santiago Perez Pinzon

Re: What account "Built-in role" for Azure Direct Restore

Veeam Logoby Mike Resseler » Fri Mar 10, 2017 6:29 am

Hi Guys,

I am not aware of the exact permissions but when you add an Azure Proxy, you basically are going to create a VM so you need to have that right to start with.

I assume you both are using the resource manager model and not the classic anymore?
Mike Resseler
Veeam Software
 
Posts: 3342
Liked: 379 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: What account "Built-in role" for Azure Direct Restore

Veeam Logoby v.Eremin » Fri Mar 10, 2017 11:54 am

So, you're using Resource Manager model, based on the screenshot ("Resource Group" node). If you use the Resource Manager deployment model, you can add only Microsoft Accounts that have the Service Administrator role. This seems to be the issue here. Thanks.
v.Eremin
Veeam Software
 
Posts: 13543
Liked: 1002 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: What account "Built-in role" for Azure Direct Restore

Veeam Logoby rccl_ecain » Fri Mar 10, 2017 6:58 pm

There is no Built in Role that has that name: https://docs.microsoft.com/en-us/azure/ ... t-in-roles

The only ADMIN would be the root account for the entire azure infrastructure, which unless you are using it for testing, why would you add your root account credentials? Can anyone verify that the specific command shown is one that cannot be used by a Contributor?

Reading through the documentation, it doesn't cover much on the prep for the Azure end of things (like it SHOULD). This isn't a small infrastructure that we want to move to azure, like it seems to be with most users here. In our organization, we can't just give root access to everything.
Retired 'Cloud Admiral'. Might actually be on a ship.
rccl_ecain
Influencer
 
Posts: 12
Liked: 14 times
Joined: Tue Jan 06, 2015 10:46 pm
Location: Miramr, FL
Full Name: Ethan Cain

Re: What account "Built-in role" for Azure Direct Restore

Veeam Logoby rccl_ecain » Fri Mar 10, 2017 7:23 pm

FYI.

Opening a ticket for this. As I can get it to work, with the same account, via Powershell and the AzureRM.Resources module. I also got this to work on another (free) account where I was the literal, one and only admin. But I have proven that the RestAPI query is not working (I assume rest as it returns a 403 error...).
Retired 'Cloud Admiral'. Might actually be on a ship.
rccl_ecain
Influencer
 
Posts: 12
Liked: 14 times
Joined: Tue Jan 06, 2015 10:46 pm
Location: Miramr, FL
Full Name: Ethan Cain

Re: What account "Built-in role" for Azure Direct Restore

Veeam Logoby rccl_ecain » Fri Mar 10, 2017 8:58 pm

UPDATE!

So, after looking around, I DID find the "service administrator" selection.

Image

It looks like THIS link has this specific role info: https://docs.microsoft.com/en-us/azure/ ... dmin-roles

NOT these settings...

Image

Sorry. It's just a little confusing. Maybe a KB, or an update of the documentation to specify the permissions settings a little more clearly would help.
Retired 'Cloud Admiral'. Might actually be on a ship.
rccl_ecain
Influencer
 
Posts: 12
Liked: 14 times
Joined: Tue Jan 06, 2015 10:46 pm
Location: Miramr, FL
Full Name: Ethan Cain

Re: What account "Built-in role" for Azure Direct Restore

Veeam Logoby Mike Resseler » Mon Mar 13, 2017 6:55 am

Ethan,

I am a bit confused now (Monday, need coffee I guess ;-)) Are you saying we should add this to our documentation? (Sorry if I understand it wrongly...)
Mike Resseler
Veeam Software
 
Posts: 3342
Liked: 379 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler


Return to Veeam Tools for Microsoft Azure



Who is online

Users browsing this forum: Google [Bot] and 6 guests