1-800-691-1991 | 9am - 8pm ET

Veeam Backup for Microsoft Office 365 Complete Permissions

KB ID: 2969
Product: Veeam Backup for Microsoft Office 365 5.0, Veeam Backup for Microsoft Office 365 4.0
Published: 2019-06-26
Last Modified: 2021-01-26

Starting with Veeam Backup for Microsoft Office version 4c, two different modern authentication methods and a basic authentication method for working with Office 365 organizations are supported.

Depending on the Office 365 tenant configuration and the restrictions on using legacy authentication protocols, one of the following authentication methods may be used: 

These authentication types require different sets of permissions to be configured. 


When protecting Office 365 organizations that use modern authentication, consider the limitations in backup and restore functionality listed in KB3146

For organizations with Modern Authentication

Veeam service account permissions

Veeam service account you are going to use should have a Global Administrator role.

Azure AD Application Permissions

There are two options:

Both Application permissions and Delegated permissions should be configured in the Azure AD application. 

For more information about permission types please visit:

For organizations with modern authentication and legacy authentication protocols

Before configuring permissions, please check the following things:


The following sections are laid out as follows:

  1. Configure Veeam service account permissions
    1. Exchange Role
    2. Sharepoint Permissions
  2. Configure the App password
  3. Configure Azure AD Application permissions

1. Veeam service account permissions

1.a. Exchange Role

 Configuring permissions for Exchange Online.

  1. Create a role group in the Exchange Admin Center as explained here.
    • Add Roles specified in the User Guide.
    • Add the Veeam Service account to role group members and save the role group.
  2. Connect to Exchange Online PowerShell module and run the "Get-AuthenticationPolicy" command.
    • If there is a blank return then there is no policy in place and you need to configure one.
    • If the current policy does not have "true" for AllowBasicAuthPowershell and AllowBasicAuthWebService contact the Domain admins to update the policy withthis Microsoft document.


Below is an example of PowerShell cmdlets that could be used to configure a new authentication policy with AllowBasicAuthPowershell and AllowBasicAuthWebService enabled for the Veeam service account.

To create a new authentication policy named "Allow Basic Auth":

New-AuthenticationPolicy -Name "Allow Basic Auth"
To enable AllowBasicAuthPowershell and AllowBasicAuthWebService in the new authentication policy:

Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthPowershell
Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthWebService
To assign this policy to the Veeam service account:
Where <UserIdentity> is the Veeam service account.

Set-User -Identity <UserIdentity> -AuthenticationPolicy "Allow Basic Auth"


1.b. Sharepoint Permissions

Configuring Permissions for SharePoint Online.

  • Grant Veeam service account with the SharePoint Administrator Role in Azure Admin Center.
  • In the SharePoint Admin Center open [Policies] > [Access control] and set "Apps that don't use modern authentication" to "Allow Access".

2. Configure the App password

  1. Set up Veeam service account user to leverage Multi-Factor Authentication.
  2. Make sure users are allowed to create app passwords.
  1. Sign-in to https://portal.office.com using Veeam service account credentials and create app password.

3. Azure AD Application permissions 

Configuring Azure AD Application.

  1. Register a new application in Azure AD
  2. Go to API permissions and click [Add a permission].

  1. Configure the permissions in accordance with "Requirements for Modern App-Only Authentication" section of this User Guide page.

All permissions must have Application type.

For more information about permission types please visit https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

  1. After all API permissions have been added you will need to grant admin consent.
  1. Select [Certificates & secrets] and [+New client secret].
  1. Add a Description> Choose Expiration> Add.
  1. Copy the Client's secret value.
  2. Go to Overview and copy the Application (client) ID.

Permissions required for organizations with basic authentication


Exchange permissions should be configured the same way as in the Exchange section of this article.


SharePoint permissions should be configured the same way as in SharePoint section of this article.

KB ID: 2969
Product: Veeam Backup for Microsoft Office 365 5.0, Veeam Backup for Microsoft Office 365 4.0
Published: 2019-06-26
Last Modified: 2021-01-26

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Your report was sent to the responsible team. Our representative will contact you by email you provided.
We're working on it please try again later
Knowledge base content request
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Policy.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

ty icon

Thank you!

We have received your request and our team will reach out to you shortly.


error icon

Oops! Something went wrong.

Please go back try again later.