Microsoft Azure permissions explained

Topic

This article details the Microsoft Azure permissions that Datto Backup for Microsoft Azure requires in order to back up and restore Microsoft Azure data.

Environment

Datto Backup for Microsoft Azure

Description

Datto Cloud SIRIS needs the following permissions:

Microsoft.Authorization/roleAssignments/read

Datto uses this permission to check the RBAC role that the Enterprise Application has been assigned.

Function: App registration

Microsoft.Compute/disks/beginGetAccess/action

Datto will grant access to each disk created for the restore so that the Cloud SIRIS can upload the blocks of the volume using azcopy.

Function: Restore

Microsoft.Compute/disks/endGetAccess/action

Datto will revoke access to each disk after the Cloud SIRIS has uploaded the data so that a VM can be created from those disks.

Function: Restore

Microsoft.Compute/disks/read

Datto will need to read the Microsoft Azure VM's current disk SKU in order to restore to disks with that same SKU.

Functions: Backup, Restore, Metadata

Microsoft.Compute/disks/write

Datto will create disks for each of the restore volumes.

Function: Restore

Microsoft.Compute/virtualMachines/extensions/read

Datto needs to check the status of virtual machine extensions to determine when the auto installation of the Datto agent is complete.

Function: Agent pairing

Microsoft.Compute/virtualMachines/extensions/write

Datto needs to apply virtual machine custom script extensions to automatically install the Datto agent.

Function: Agent pairing

Microsoft.Compute/virtualMachines/read

Datto will need to verify that the virtual machine was created correctly.

Functions: Backup, Restore, Metadata

Microsoft.Compute/virtualMachines/start/action

Datto will start the restored virtual machine after it has been created.

Function: Restore

Microsoft.Compute/virtualMachines/write

Datto will create a virtual machine configured with the disks containing the backup data.

Function: Restore

Microsoft.Network/networkInterfaces/join/action

Datto will need to assign the created NIC to the virtual machine.

Function: Restore

Microsoft.Network/networkInterfaces/read

Datto will need to read the Azure VM's current network configuration in order to restore with that same network configuration.

Functions: Backup, Restore, Metadata

Microsoft.Network/networkInterfaces/write

Datto will create a NIC to assign to the restored virtual machine.

Function: Restore

Microsoft.Network/networkSecurityGroups/join/action

Datto will need to join the restored VM to an existing Network Security Group.

Functions: Backup, Restore, Metadata

Microsoft.Network/networkSecurityGroups/read

Datto will need to read the Azure VM's current network configuration in order to restore with that same network configuration.

Functions: Backup, Restore, Metadata

Microsoft.Network/networkSecurityGroups/write

Datto will create a network security group to assign to the NIC of the restored virtual machine.

Function: Restore

Microsoft.Network/publicIPAddresses/join/action

Datto will need permission to attach a VM to the original VM's public IP address.

Function: Restore

Microsoft.Network/publicIPAddresses/read

Datto will need to read the Azure VM's current network configuration in order to restore with that same network configuration.

Functions: Backup, Restore, Metadata

Microsoft.Network/publicIPAddresses/write

Datto will create a public IP address to assign to the NIC of the restored virtual machine.

Function: Restore

Microsoft.Network/virtualNetworks/join/action

Datto will need permission to attach a VM to the original VM's virtual network.

Function: Restore

Microsoft.Network/virtualNetworks/read'

Datto will need to read the Azure VM's current network configuration in order to restore with that same network configuration.

Function: Metadata

Microsoft.Network/virtualNetworks/subnets/join/action

Datto will need to join the restored VM to an existing Virtual Network and Subnet.

Function: Restore

Microsoft.Network/virtualNetworks/subnets/read

Datto will need to read the Azure VM's current network configuration in order to restore with that same network configuration.

Functions: Backup, Restore, Metadata

Microsoft.Network/virtualNetworks/write

Datto will create a virtual network to assign to the NIC of the restored virtual machine.

Function: Restore

Microsoft.Resources/deployments/read

Datto will need to check the status of templates for creating disks and virtual machines for restores.

Function: Restore

Microsoft.Resources/deployments/validate/action

Datto will validate the deployment templates used to create disks and virtual machines prior to executing them.

Function: Restore

Microsoft.Resources/deployments/write

Datto will deploy templates to create disks and virtual machines for the restore.

Function: Restore

Microsoft.Resources/subscriptions/read

Datto will display a list of your subscriptions in the Datto Portal, so that you don't need to copy/paste subscription UUIDs during device registration.

Functions: App registration, Agent pairing

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the ideas forum!
	Provide feedback for the Documentation team.