Veeam Backup for Azure – Unable to check required permissions.

The Issue

When connecting my newly deployed instance of Veeam Backup for Microsoft Azure, I keep hitting the same error message after authenticating my account with Microsoft.

Error: Unable to check required permissions. This might be a problem in Microsoft Azure. Please wait and continue with the wizard later.

Simple enough message, I don’t have the right permissions, yet I knew on my test tenant I was a global admin, (and the only user configured in this tenant) so why was I seeing this error?

The cause

When I downloaded the logs, I found the following, it indicated that my account is connected to two tennants, both of the same name “Default Directory” to make things confusing, and the error was happening on the permissions check with the tenant.

It seems Veeam was automatically selecting the tenant which I was only a user of, and not the tennant in which I had Global Administrator permissions.

Below are the error logs;

Error: An exception occurred at /api/v1/accounts/azure/service/listAdGroups, trace ID:f07f71b5-9344-4ac9-b44e-a22fc66fcb23. Unable to check required permissions. This might be a problem in Microsoft Azure. Please wait and continue with the wizard later.

Authentication result listed following tenants: {Tennant1}, {Tennant2}
Checking application registration permissions...
Creating temporary Azure Active Directory application...
...
Warning: Attempting to create a Microsoft Azure application (attempt 3 of 3, reason {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"a6a26739-cf4d-4e6c-8104-f31dc24d3fe5","date":"2020-04-28T19:09:28"}})
Error: Graph exception: Code Authorization_RequestDenied, Message: Insufficient privileges to complete the operation.
Error: An exception occurred at /api/v1/accounts/azure/service/listSubscriptionsByToken, trace ID:c2151975-324c-4cb3-8f78-b1785e1585c7. Unable to check required permissions. This might be a problem in Microsoft Azure. Please wait and continue with the wizard later.

Authentication result listed following tenants: {Tennant1}, {Tennant2}
Microsoft Azure authentication allows to list following tenants: Default Directory (Tennant1), Default Directory (Tennant2)
Checking application registration permissions...
Creating temporary Azure Active Directory application...
...
Warning: Attempting to create a Microsoft Azure application (attempt 3 of 3, reason {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"fa031470-9298-40b0-bf74-7c54a28f1490","date":"2020-04-28T19:10:01"}})
Error: Graph exception: Code Authorization_RequestDenied, Message: Insufficient privileges to complete the operation.

The Fix

Quite a simple fix, log into portal.azure.com, click the small little directories icon as below.

Then ensure you have set your default directory to that which you have the correct permissions, as per the below screenshot.

If you are seeing this error on your correct directory, then the answer is even more simple, you have the incorrect permissions for that directory.

 

Regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.