https://login.veeam.com/en/oauth?client_id=nXojRrypJ8&redirect_uri=https%3A%2F%2Fwww.veeam.com%2Fservices%2Fauthentication%2Fredirect_url&response_type=code&scope=profile&state=eyJmaW5hbFJlZGlyZWN0TG9jYXRpb24iOiJodHRwczovL3d3dy52ZWVhbS5jb20va2IyOTY5IiwiaGFzaCI6ImM1YzU2ODhiLWNhODMtNGExOS1iNmFjLWRlOGU1MWRiZDg5ZSJ9
1-800-691-1991 | 9am - 8pm ET
EN

Veeam Backup for Microsoft Office 365 Complete Permissions

Veeam Backup for Microsoft Office version 4c supports two different modern authentication methods and a basic authentication method for working with Office 365 organizations.

Depending on your Office 365 tenant configuration and the restrictions on using legacy authentication protocols, you can use one of the following authentication methods: 

These authentication types require different sets of permissions to be configured. 

 

When protecting Office 365 organizations that use modern authentication, consider the limitations in backup and restore functionality listed in KB3146

Configure permissions required for organizations with modern authentication

Veeam service account permissions

Veeam service account you are going to use should have a Global Administrator role.

Azure AD Application permissions

You can either allow Veeam Backup for Office 365 to create the Azure AD application and all the required application permissions will be granted automatically:

https://helpcenter.veeam.com/docs/vbo365/guide/register_ad_application.html?ver=40#cna

Or you can create an Azure AD application manually: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

And then configure the permissions in accordance with "Veeam Backup for Microsoft Office 365 Version 4c" section of this User Guide page: https://helpcenter.veeam.com/docs/vbo365/guide/azure_ad_applications.html?ver=40

Both Application permissions and Delegated permissions should be configured in the Azure AD application. For more information about permission types please visit https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

Configure permissions required for organizations with modern authentication and legacy authentication protocols

Before configuring permissions below, make sure that Security Defaults are disabled in your Office 365 tenant:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

And Conditional Access policies are not blocking legacy authentication protocols for the Veeam service account:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/

Veeam service account permissions

Exchange

 Configuring permissions for Exchange Online.

Below you may see the example of PowerShell cmdlets you could use to configure a new authentication policy with enabled AllowBasicAuthPowershell and AllowBasicAuthWebService for the Veeam service account.

To create a new authentication policy named "Allow Basic Auth":

New-AuthenticationPolicy -Name "Allow Basic Auth"
To enable AllowBasicAuthPowershell and AllowBasicAuthWebService in the new authentication policy:
Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthPowershell
Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthWebService
To assign this policy to the Veeam service account:
Set-User -Identity <UserIdentity> -AuthenticationPolicy "Allow Basic Auth"

Where is the Veeam service account.

SharePoint

Configuring Permissions for SharePoint Online.

  • Grant Veeam service account with the SharePoint Administrator Role in Azure Admin Center: https://admin.microsoft.com/
  • In the SharePoint Admin Center open [Policies] > [Access control]  and set "Apps that don't use modern authentication" to "Allow Access".
2969_1
kb2969_7
App password

Configuring user App password.

Azure AD Application permissions 

Configuring Azure AD Application.

2969_2

All permissions must have Application type.

For more information about permission types please visit https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

  • After all API permissions have been added you will need to grant admin consent.
2969_3
  • Select [Certificates & secrets] and [+New client secret].
2969_4
  • Add a Description> Choose Expiration> Add.
2969_5
  • Copy the Client's secret value.
  • Go to Overview and copy the Application (client) ID.
2969_6

Configure permissions required for organizations with basic authentication

Exchange

Exchange permissions should be configured the same way as in the Exchange section of this article.

SharePoint

SharePoint permissions should be configured the same way as in SharePoint section of this article.

KB ID:
2969
Product:
Veeam Backup for Microsoft Office 365
Version:
2.x, 3.x, 4.x
Published:
2019-06-26
Last Modified:
2020-10-13
Please rate how helpful this article was to you:
5 out of 5 based on 1 ratings
Thank you for helping us improve!
An error occurred during voting. Please try again later.

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

Knowledge base content request
By submitting, you agree that your personal data will be managed by Veeam in accordance with the Privacy Policy.
Your report was sent to the responsible team. Our representative will contact you by email you provided.
We're working on it please try again later