Merge pull request #291003 from AbhishekMallick-MS/Nov-25-2024-VM

prmerger-automator[bot] · web-flow · commit 2e7ce78cd58a · 2024-11-25T11:06:09.000Z
Restore VM updates
diff --git a/articles/backup/backup-azure-arm-restore-vms.md b/articles/backup/backup-azure-arm-restore-vms.md
@@ -330,34 +330,69 @@ For more information, see [Back up and restore Active Directory domain controlle
 
 Managed identities eliminate the need for the user to maintain the credentials. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication.  
 
-Azure Backup offers the flexibility to restore the managed Azure VM with [managed identities](../active-directory/managed-identities-azure-resources/overview.md). You can choose to select [system-managed identities](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) or user-managed identities as shown in the figure below. This is introduced as one of the input parameters in the [**Restore configuration** blade](#create-a-vm) of Azure VM. Managed identities used as one of the input parameters is only used for accessing the storage accounts, which are used as staging location during restore and not for any other Azure resource controlling. These managed identities have to be associated to the vault.
+Azure Backup offers the flexibility to restore the managed Azure VM with [managed identities](../active-directory/managed-identities-azure-resources/overview.md). You can choose to select [system-managed identities](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) or user-managed identities as shown in the figure below. This is introduced as one of the input parameters in the [**Restore configuration** blade](#create-a-vm) of Azure VM. Managed identities are used for accessing the storage accounts and automated cleanup of any resources created during restore process in case of restore failures. These managed identities have to be associated to the vault.
 
 :::image type="content" source="./media/backup-azure-arm-restore-vms/select-system-managed-identities-or-user-managed-identities.png" alt-text="Screenshot for choice to select system-managed identities or user-managed identities.":::
 
-If you choose to select system-assigned or user-assigned managed identities, check for the below actions for managed identity on the target staging Storage Account.
+If you choose to select system-assigned or user-assigned managed identities, check for the below actions for managed identity on the target staging Storage Account and Resource Group.
 
 ```json
 "permissions": [
-  {
-    "actions": [
-        "Microsoft.Authorization/*/read",
-        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
-        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
-        "Microsoft.Storage/storageAccounts/blobServices/containers/write"
-    ],
-    "notActions": [],
-    "dataActions": [
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
-    ],
-    "notDataActions": []
-  }
-]
+            {
+                "actions": [
+                    "Microsoft.Authorization/*/read",
+                    "Microsoft.Compute/disks/read",
+                    "Microsoft.Compute/disks/write",
+                    "Microsoft.Compute/disks/delete",
+                    "Microsoft.Compute/disks/beginGetAccess/action",
+                    "Microsoft.Compute/disks/endGetAccess/action",
+                    "Microsoft.Compute/locations/diskOperations/read",
+                    "Microsoft.Compute/virtualMachines/read",
+                    "Microsoft.Compute/virtualMachines/write",
+                    "Microsoft.Compute/virtualMachines/delete",
+                    "Microsoft.Compute/virtualMachines/instanceView/read",
+                    "Microsoft.Compute/virtualMachines/extensions/read",
+                    "Microsoft.Compute/virtualMachines/extensions/write",
+                    "Microsoft.Compute/virtualMachines/extensions/delete",
+                    "Microsoft.Insights/alertRules/*",
+                    "Microsoft.Network/locations/operationResults/read",
+                    "Microsoft.Network/locations/operations/read",
+                    "Microsoft.Network/locations/usages/read",
+                    "Microsoft.Network/networkInterfaces/delete",
+                    "Microsoft.Network/networkInterfaces/ipconfigurations/read",
+                    "Microsoft.Network/networkInterfaces/join/action",
+                    "Microsoft.Network/networkInterfaces/read",
+                    "Microsoft.Network/networkInterfaces/write",
+                    "Microsoft.Network/networkSecurityGroups/read",
+                    "Microsoft.Network/networkSecurityGroups/securityRules/read",
+                    "Microsoft.Network/publicIPAddresses/delete",
+                    "Microsoft.Network/publicIPAddresses/join/action",
+                    "Microsoft.Network/publicIPAddresses/read",
+                    "Microsoft.Network/publicIPAddresses/write",
+                    "Microsoft.Network/virtualNetworks/read",
+                    "Microsoft.Network/virtualNetworks/subnets/join/action",
+                    "Microsoft.Network/virtualNetworks/subnets/read",
+                    "Microsoft.Resources/deployments/*",
+                    "Microsoft.Resources/subscriptions/resourceGroups/read",
+                    "Microsoft.Storage/checkNameAvailability/read",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/write",
+                    "Microsoft.Storage/storageAccounts/listKeys/action",
+                    "Microsoft.Storage/storageAccounts/read",
+                    "Microsoft.Storage/storageAccounts/write"
+                ],
+                "notActions": [],
+                "dataActions": [
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
+                ],
+
 ```
 
-Or, add the role assignment on the staging location (Storage Account) to have [Storage account Backup Contributor](./blob-backup-configure-manage.md#grant-permissions-to-the-backup-vault-on-storage-accounts) and [Storage Blob data Contributor](../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) for the successful restore operation.
+Or, add the **VM restore operator** role assignment on the staging location (Storage Account) and target Resource Group for the successful restore operation.
 
 :::image type="content" source="./media/backup-azure-arm-restore-vms/add-role-assignment-on-staging-location.png" alt-text="Screenshot for adding the role assignment on the staging location.":::
 
diff --git a/articles/role-based-access-control/built-in-roles.md b/articles/role-based-access-control/built-in-roles.md
@@ -71,6 +71,7 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='virtual-machine-data-access-administrator-preview'></a>[Virtual Machine Data Access Administrator (preview)](./built-in-roles/compute.md#virtual-machine-data-access-administrator-preview) | Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. | 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04 |
 > | <a name='virtual-machine-local-user-login'></a>[Virtual Machine Local User Login](./built-in-roles/compute.md#virtual-machine-local-user-login) | View Virtual Machines in the portal and login as a local user configured on the arc server | 602da2ba-a5c2-41da-b01d-5360126ab525 |
 > | <a name='virtual-machine-user-login'></a>[Virtual Machine User Login](./built-in-roles/compute.md#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
+> | [Virtual Machine Restore Operator](/azure/role-based-access-control/built-in-roles/compute#virtual-machine-operator) | Provides permissions to Recovery Services vault to staging storage account and target resource group for VM restore operations. | dfce897125e342e3ba336055438e3080 |
 > | <a name='windows-365-network-interface-contributor'></a>[Windows 365 Network Interface Contributor](./built-in-roles/compute.md#windows-365-network-interface-contributor) | This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces. | 1f135831-5bbe-4924-9016-264044c00788 |
 > | <a name='windows-365-network-user'></a>[Windows 365 Network User](./built-in-roles/compute.md#windows-365-network-user) | This role is used by Windows 365 to read virtual networks and join the designated virtual networks. | 7eabc9a4-85f7-4f71-b8ab-75daaccc1033 |
 > | <a name='windows-admin-center-administrator-login'></a>[Windows Admin Center Administrator Login](./built-in-roles/compute.md#windows-admin-center-administrator-login) | Let's you manage the OS of your resource via Windows Admin Center as an administrator. | a6333a3e-0164-44c3-b281-7a577aff287f |
diff --git a/articles/role-based-access-control/built-in-roles/compute.md b/articles/role-based-access-control/built-in-roles/compute.md
@@ -1856,6 +1856,123 @@ View Virtual Machines in the portal and login as a regular user.
 }
 ```
 
+## Virtual Machine Operator
+
+This role is for providing necessary permissions on the staging storage account and target resource group during VM restore operations using Azure Backup.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | Microsoft.Authorization/*/read | Read access to all authorization resources |
+> | Microsoft.Compute/disks/read | Read access to compute disks |
+> | Microsoft.Compute/disks/write | Write access to compute disks |
+> | Microsoft.Compute/disks/delete | Delete access to compute disks |
+> | Microsoft.Compute/disks/beginGetAccess/action | Begin get access action on compute disks |
+> | Microsoft.Compute/disks/endGetAccess/action | End get access action on compute disks |
+> | Microsoft.Compute/locations/diskOperations/read | Read access to disk operations in a location |
+> | Microsoft.Compute/virtualMachines/read | Read access to virtual machines |
+> | Microsoft.Compute/virtualMachines/write | Write access to virtual machines |
+> | Microsoft.Compute/virtualMachines/delete | Delete access to virtual machines |
+> | Microsoft.Compute/virtualMachines/instanceView/read | Read access to virtual machine instance view |
+> | Microsoft.Compute/virtualMachines/extensions/read | Read access to virtual machine extensions |
+> | Microsoft.Compute/virtualMachines/extensions/write | Write access to virtual machine extensions |
+> | Microsoft.Compute/virtualMachines/extensions/delete | Delete access to virtual machine extensions |
+> | Microsoft.Insights/alertRules/* | Full access to alert rules |
+> | Microsoft.Network/locations/operationResults/read | Read access to operation results in a location |
+> | Microsoft.Network/locations/operations/read | Read access to operations in a location |
+> | Microsoft.Network/locations/usages/read | Read access to usage information in a location |
+> | Microsoft.Network/networkInterfaces/delete | Delete access to network interfaces |
+> | Microsoft.Network/networkInterfaces/ipconfigurations/read | Read access to IP configurations of network interfaces |
+> | Microsoft.Network/networkInterfaces/join/action | Join action on network interfaces |
+> | Microsoft.Network/networkInterfaces/read | Read access to network interfaces |
+> | Microsoft.Network/networkInterfaces/write | Write access to network interfaces |
+> | Microsoft.Network/networkSecurityGroups/read | Read access to network security groups |
+> | Microsoft.Network/networkSecurityGroups/securityRules/read | Read access to security rules of network security groups |
+> | Microsoft.Network/publicIPAddresses/delete | Delete access to public IP addresses |
+> | Microsoft.Network/publicIPAddresses/join/action | Join action on public IP addresses |
+> | Microsoft.Network/publicIPAddresses/read | Read access to public IP addresses |
+> | Microsoft.Network/publicIPAddresses/write | Write access to public IP addresses |
+> | Microsoft.Network/virtualNetworks/read | Read access to virtual networks |
+> | Microsoft.Network/virtualNetworks/subnets/join/action | Join action on virtual network subnets |
+> | Microsoft.Network/virtualNetworks/subnets/read | Read access to virtual network subnets |
+> | Microsoft.Resources/deployments/* | Full access to resource deployments |
+> | Microsoft.Resources/subscriptions/resourceGroups/read | Read access to resource groups in a subscription |
+> | Microsoft.Storage/checkNameAvailability/read | Read access to check name availability |
+> | Microsoft.Storage/storageAccounts/blobServices/containers/delete | Delete access to blob service containers in storage accounts |
+> | Microsoft.Storage/storageAccounts/blobServices/containers/read | Read access to blob service containers in storage accounts |
+> | Microsoft.Storage/storageAccounts/blobServices/containers/write | Write access to blob service containers in storage accounts |
+> | Microsoft.Storage/storageAccounts/listKeys/action | List keys action on storage accounts |
+> | Microsoft.Storage/storageAccounts/read | Read access to storage accounts |
+> | Microsoft.Storage/storageAccounts/write | Write access to storage accounts |
+> | NotActions |      |
+> | none |       |
+> | DataActions |      |
+> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Delete access to blobs in blob service containers |
+> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Read access to blobs in blob service containers |
+> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Write access to blobs in blob service containers |
+> | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | Add action on blobs in blob service containers |
+> | NotDataActions |     |
+> | none |     |
+
+```json
+"permissions": [
+            {
+                "actions": [
+                    "Microsoft.Authorization/*/read",
+                    "Microsoft.Compute/disks/read",
+                    "Microsoft.Compute/disks/write",
+                    "Microsoft.Compute/disks/delete",
+                    "Microsoft.Compute/disks/beginGetAccess/action",
+                    "Microsoft.Compute/disks/endGetAccess/action",
+                    "Microsoft.Compute/locations/diskOperations/read",
+                    "Microsoft.Compute/virtualMachines/read",
+                    "Microsoft.Compute/virtualMachines/write",
+                    "Microsoft.Compute/virtualMachines/delete",
+                    "Microsoft.Compute/virtualMachines/instanceView/read",
+                    "Microsoft.Compute/virtualMachines/extensions/read",
+                    "Microsoft.Compute/virtualMachines/extensions/write",
+                    "Microsoft.Compute/virtualMachines/extensions/delete",
+                    "Microsoft.Insights/alertRules/*",
+                    "Microsoft.Network/locations/operationResults/read",
+                    "Microsoft.Network/locations/operations/read",
+                    "Microsoft.Network/locations/usages/read",
+                    "Microsoft.Network/networkInterfaces/delete",
+                    "Microsoft.Network/networkInterfaces/ipconfigurations/read",
+                    "Microsoft.Network/networkInterfaces/join/action",
+                    "Microsoft.Network/networkInterfaces/read",
+                    "Microsoft.Network/networkInterfaces/write",
+                    "Microsoft.Network/networkSecurityGroups/read",
+                    "Microsoft.Network/networkSecurityGroups/securityRules/read",
+                    "Microsoft.Network/publicIPAddresses/delete",
+                    "Microsoft.Network/publicIPAddresses/join/action",
+                    "Microsoft.Network/publicIPAddresses/read",
+                    "Microsoft.Network/publicIPAddresses/write",
+                    "Microsoft.Network/virtualNetworks/read",
+                    "Microsoft.Network/virtualNetworks/subnets/join/action",
+                    "Microsoft.Network/virtualNetworks/subnets/read",
+                    "Microsoft.Resources/deployments/*",
+                    "Microsoft.Resources/subscriptions/resourceGroups/read",
+                    "Microsoft.Storage/checkNameAvailability/read",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/write",
+                    "Microsoft.Storage/storageAccounts/listKeys/action",
+                    "Microsoft.Storage/storageAccounts/read",
+                    "Microsoft.Storage/storageAccounts/write"
+                ],
+                "notActions": [],
+                "dataActions": [
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
+                ],
+
+
+
+```
+
+
 ## Windows 365 Network Interface Contributor
 
 This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces.
