Veeam Backup for Microsoft 365 Complete Permissions

KB ID: 2969
Product: Veeam Backup for Microsoft 365 | Veeam Backup for Microsoft Office 365 4.0 | Veeam Backup for Microsoft Office 365 5.0
Published: 2019-06-26
Last Modified: 2022-08-19
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

This KB is being phased out

The content of this article is being transitioned to the Veeam Backup for Microsoft 365 User Guide.

An up-to-date list of Required Permission is available in the Veeam Backup for Microsoft 365 User Guide.

Authentication Modes Summary

Depending on the Microsoft 365 account configuration and the restrictions on using legacy authentication protocols, one of the following authentication methods may be used:

  • Modern app-only authentication
    When you use this method, Veeam Backup for Microsoft 365 uses only the Azure AD application to authenticate to your Microsoft 365 organizations with enabled security defaults. You cannot use the Veeam Backup account with the modern app-only authentication method.

    When protecting Microsoft 365 organizations using Modern App-Only Authentication mode, consider the limitations in backup and restore functionality listed in KB3146
  • Modern authentication with legacy protocols allowed
    When you use this method, you can use both the Veeam Backup account and Azure AD application to authenticate to your Microsoft 365 organizations with disabled security defaults. You use MFA-enabled Microsoft 365 user account as the Veeam Backup account.
  • Basic authentication
    When you use this method, you are required to provide a user account as the Veeam Backup account to authenticate to your Microsoft 365 organization.

 

Microsoft Deprecation of Basic Authentication in Exchange Online

Microsoft is planning to deprecate Basic Authentication soon:

Deprecation of Basic authentication in Exchange Online

Authentication Mode Permissions

Modern App-Only Authentication

When you add Microsoft 365 organization using the modern app-only authentication method, you use only Azure AD application to establish and maintain connection between Veeam Backup for Microsoft 365 and Microsoft 365 organizations and perform a backup and restore from/to such organizations.

Azure AD Application Permissions

When adding a Microsoft 365 Organization using Modern app-only authentication you can create a new application in Azure Active Directory or select an existing one:

Both Application permissions and Delegated permissions should be configured in the Azure AD application. 

For more information about permission types please visit:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

Modern Authentication with Legacy Protocols Allowed

When you add an organization using the modern authentication method with legacy protocols allowed, you use both Veeam Backup account and Azure AD application for authentication. Veeam Backup for Microsoft 365 uses Veeam Backup account and an application to establish a connection to your Microsoft 365 organizations with disabled security defaults and maintain data transfer during backup and restore sessions.

 

Before configuring permissions, please check the following things:

 

Section Table of Contents

  1. Configure Veeam service account permissions
    1. Exchange Role
    2. Sharepoint Permissions
  2. Configure the App password
  3. Configure Azure AD Application permissions

1. Veeam service account permissions

1.a. Exchange Role

 Configuring permissions for Exchange Online.

  1. Create a role group in the Exchange Admin Center as explained here.
    • Add Roles specified in the User Guide.
    • Add the Veeam Service account to role group members and save the role group.
  2. Connect to the Exchange Online PowerShell module and run the "Get-AuthenticationPolicy" command.
    • If there is a blank return, there is no policy, and you need to configure one.
    • If the current policy does not list a value of "true" for AllowBasicAuthPowershell and AllowBasicAuthWebService, contact the Domain admins to update the policy with this Microsoft document.

 

Below is an example of PowerShell cmdlets that could be used to configure a new authentication policy with AllowBasicAuthPowershell and AllowBasicAuthWebService enabled for the Veeam service account.

To create a new authentication policy named "Allow Basic Auth":

New-AuthenticationPolicy -Name "Allow Basic Auth"
To enable AllowBasicAuthPowershell and AllowBasicAuthWebService in the new authentication policy:

Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthPowershell
Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthWebServices
To assign this policy to the Veeam service account:
Where <UserIdentity> is the Veeam service account.

Set-User -Identity <UserIdentity> -AuthenticationPolicy "Allow Basic Auth"
1.b. Sharepoint Permissions

Configuring Permissions for SharePoint Online.

  • Grant Veeam service account with the SharePoint Administrator Role in Azure Admin Center.
  • In the SharePoint Admin Center open [Policies] > [Access control] and set "Apps that don't use modern authentication" to "Allow Access".
kb2969_7

2. Configure the App password

  1. Set up Veeam service account user to leverage Multi-Factor Authentication.
  2. Make sure users are allowed to create app passwords.
2969allowuserpassword
  1. Sign-in to https://portal.office.com using Veeam service account credentials and create app password.

3. Azure AD Application permissions 

  1. Register a new application in Azure AD
  2. Go to API permissions and click [Add a permission].
2969_2
  1. Configure the permissions per the "Requirements for Modern App-Only Authentication" section of this User Guide page.

All permissions must have Application type.

For more information about permission types please visit https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

  1. After all API permissions have been added you will need to grant admin consent.
2969_3
  1. Select [Certificates & secrets] and [+New client secret].
2969_4
  1. Add a Description> Choose Expiration> Add.
2969_5
  1. Copy the Client's secret value.
  2. Go to Overview and copy the Application (client) ID.
2969_6

Basic Authentication

When you add an organization using the basic authentication method, you are required to provide a user name and password to authenticate to your Microsoft 365 organization.
 

Exchange

Exchange permissions should be configured the same way as in the Exchange section of this article.

SharePoint

SharePoint permissions should be configured the same way as in SharePoint section of this article.

Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.