Backups that utilize the Microsoft Virtual Device Interface (VDI) API (commonly used by third-party software like NetBackup, Commvault, or Veeam to back up SQL Server databases) require sysadmin privileges primarily due to the design of the VDI connection.

The specific reasons include:

• Shared Resource Access: The VDI connection involves shared memory and resources between the SQL Server process and the third-party backup client. Managing these shared resources requires high-level system permissions that are only available to the sysadmin role.

• Executing Advanced Commands: Unlike native SQL backups, which can operate with restricted roles like db_backupoperator, a VDI connection is capable of executing more than simple backup and restore commands. Microsoft mandates sysadmin because the API allows for low-level interactions with the server.

• Differential and Log Backups: While some snapshot backups might work with lower permissions, performing differential and transaction log backups via VDI strictly requires the sysadmin role to function; without it, these backups will fail in their initial stages.

• Design Limitation: Microsoft classifies this requirement as a design limitation of the SQL Server VDI implementation. There is currently no granular permission that can be granted specifically for VDI operations without including the full sysadmin suite. 

For security, some organizations use Group Managed Service Accounts (gMSA) to manage these high-privilege backup accounts more securely.

Bibliography