In Veeam Backup and Replication 9.5 versions prior to Update 4, the password for the Microsoft Azure account used by the Direct Restore to Azure functionality can be found in the log in plain text.
Veeam Backup and Replication is used by a lot of organizations worldwide to create and restore backups of systems, applications and services. Its Direct Restore to Azure functionality absolutely rocks for both backups and migrations to Azure Infrastructure as a Service (IaaS). Alas, there is a security issue that might diminish your fantastic experience with this feature…
You want to assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant.
You follow the steps outlined in Veeam KnowledgeBase article 2702:
- You first create a user object in Microsoft Azure Active Directory.
- You run the below Windows PowerShell script to create a custom role in Microsoft Azure with minimal privileges:
- Then, you register the newly created user object and role in Veeam Backup & Replication using the following command in an elevated Command Prompt window on the Windows Server installation running Veeam Backup & Replication:
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()
$role.Name = 'Veeam Restore Operator'
$role.Description = 'Permissions for Veeam Direct Restore to Microsoft Azure'
$role.IsCustom = $true
$permissions = @(
$role.Actions = $permissions
$role.NotActions = (Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor').NotActions
$subs = '/subscriptions/00000000-0000-0000-0000-000000000000'
$role.AssignableScopes = $subs
New-AzureRmRoleDefinition -Role $role
cd C:\Program Files\Veeam\Backup and Replication\Backup
The account is then ready for use.
When you assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant, using the steps outlined in Veeam KnowledgeBase article 2702, the password for the Microsoft Azure account can be found in the C:\ProgramData\Veeam\Backup\VeeamBackupManager.log file in plain text.
This issue affects Veeam Backup & Replication 9.5 versions prior to Update 4.
The issue is described in Veeam KnowledgeBase article 2886.
The issue was addressed in Veeam Backup & Replication 9.5 Update 4.
Veeam Backup & Replication 9.5 Update 4 was released in January 2019. The Direct Restore to Azure functionality was made available in March 2016. The guidance to assign the user account in Microsoft Azure Infrastructure as a Service (IaaS) for Veeam Backup & Replication’s Direct Restore to Azure functionality with the minimum of privileges in the Azure tenant was first released in August 2018.
Call to Action
If your organization has configured the account for Direct Restore using the guidance in Veeam KnowledgeBase article 2702, or intends to do so on Veeam Backup & Replication 9.5 versions prior to Update 4, apply the necessary security measures for the log file.
If your organization’s security principles allow you to edit or remove the log file, do so.