Veeam Office 365 Complete Permissions

KB ID:
2969
Product:
Veeam Backup for Microsoft Office 365
Version:
2.x, 3.x, 4.x
Published:
Last Modified:
2020-07-06

Challenge

Configuring the required granular permissions for Veeam Office 365 and troubleshooting permission errors.

Cause

When adding an Organization there are 11 Verification checks that happen. Below lists each of the verification and what it means if it fails.
Note: Any permissions changes in Office 365 Online may take 15-60 minutes to apply.

  1. Connection to Microsoft Graph: This meaning can change based on if you are using Modern authentication or Basic authentication.
     
    • Modern authentication: This would mean that the Application ID and secret failed to authenticate.
      • Make sure the Application ID and Secret were properly entered
      • Check the Application APIs from the "Azure AD Application" section below
      • Try generating a new Application Secret from Azure AD
         
    • Basic authentication: This would mean that your username does not have permissions to authenticate with the Microsoft Graph Online.
      • If your Organization is Federated try creating a new cloud user account from Microsoft Azure AD for authentication.
      • Make sure that the user belongs to the Organization.
      • Check that user has all permissions assigned from the above SharePoint and Exchange section
         
  2. Connect to EWS: This is a connection to the Exchange Web Service.
     
    • Modern authentication: This uses a dual authentication leveraging the Application ID and Username.
      • For the Application ID check in Microsoft Azure AD that the correct APIs were assigned as Application and not Delegated.
      • For the Username check Microsoft Exchange Admin center that all permissions have been assigned to the user as documented below.
         
    • Basic authentication:
      • For the Username check Microsoft Exchange Admin center that all permissions have been assigned to the user as documented below.
         
  3. Connection to PowerShell: This step checks that we can connect to Exchange Online PowerShell. Only the username is used for this verification. Require AllowBasicAuthPowershell and AllowBasicAuthWebServices to be allowed in the group policy this user is added to.
     
  4. Check through PowerShell to see if the policies are allowed for the user:
  5. Check Exchange plan and SharePoint plan: If either of these fail then your plan cannot automatically identified as Valid. Use the below KB to add the proper plans to your configuration
     
  6. Check Required cmdlets access: related to Exchange Online.
     
  7. Check Mailbox Search role: related to Exchange Online.
     
  8. Check ApplicationImpersonation role: related to Exchange Online.
     
  9. Check that the user has been properly added to the role group with all necessary permissions as shown above in the Exchange section
     
  10. Check SharePoint Online Administrators role: This refer the SharePoint Administrator role that you assign to the user in the Admin Center.
     
    • Refer to the SharePoint section above and make sure that the service has the SharePoint Administrator role assigned
       
  11. Check LegacyAuthProtocolsEnabled: This is a setting in SharePoint Admin center to enable legacy Authentication.
     
    • Refer to the SharePoint section above to Allow Apps that don't use modern authentication.
    • “Unauthorized” error is thrown by SharePoint Online and/or OneDrive for business backup jobs: https://www.veeam.com/kb2714

Solution

This section will provide details on configuring permissions.

These links can be used to skip to the specific section.

Exchange
SharePoint
User App Password
Azure AD Application

 


 

Exchange

 Configuring Permissions for Exchange (on-premises or Online):

  • Login to the Exchange Admin Center: https://outlook.office365.com/ecp/
  • Select Permissions and add a New Role Group
    User-added image
  • Create your role Group:
    • Name your role group appropriately (Example: VBO Permissions)
    • Add Roles:
      • ApplicationImpersonation
      • View-Only Configuration
      • View-Only Recipients
      • Mailbox Search
      • Mail Recipients
    • Add the Veeam Service account under Members
    • and Save
      User-added image



 

SharePoint

Configuring Permissions for SharePoint Online

  • Add the SharePoint Administrator Role to user In Azure Admin Center: https://admin.microsoft.com/
     
  • Select: [Users] > [Active Users] >  Select the Backup Service account

    User-added image
     
  • Allow Apps that don't use modern authentication In the SharePoint Admin Center:
    https://<ORGNAME>-admin.sharepoint.com/
     
  • Select: [Access control] > [Apps that don't use modern authentication] > [Allow Access]

    User-added image
    User-added image



 

User App Password

Configuring user App Password:




 

Azure AD Application

Configuring Azure AD Application

    • Register a new App in Azure AD: https://aad.portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
      Also be found under: [All services] > [App Registrations]

      User-added image

    • Name the Application

    • Add Redirect URL (URL does not need to be real. Example: "http://localhost/")

    • Click Register

      User-added image

    • Select API permissions and Add permission.
      Please keep in mind that all permissions must be added as Application permissions and not Delegated permissions

      User-added image

    • First API will be at the top of the page: Microsoft Graph> Application Permissions

      User-added image

    • Check Directory.Read.All and Group.Read.All then select Add permissions.
      Directory.Read.All permission is required to read organization and users’ properties. Group.Read.All is required to read groups properties and membership.

      User-added image

    • If you’re going to use application certificates, second API will be halfway down the page: SharePoint > Application Permissions

      User-added image

    • Check Sites.Fullcontrol.All and User.Read.All. Then select Add permission.
      Sites.Fullcontrol.All is required to read sites content. User.Read.All is required to read user profiles.

      User-added image

    • Last API is also required only if using application certificates. It will be at the bottom of the page Under [Supported legacy APIs]: Exchange> Application Permissions.

      User-added image

    • Check [full_access_as_app]. Then select Add Permission.
      full_access_as_app is required to read mailboxes content.

      User-added image

    • After all APIs have been added you will need to Grant consent:

      User-added image

    • Select [Certificates & secrets] and [ +New client Secret]

      User-added image

    • Add a Description> Choose Expiration> Add

      User-added image

    • Copy Secret Value because it will no longer be available once you close the window:

      User-added image

    • Locate Application ID: Overview> Application (client) ID

      User-added image

Rate the quality of this KB article: 
4 out of 5 based on 35 ratings

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text:

Submit