Veeam Backup for Microsoft Office 365 Complete Permissions
Veeam Backup for Microsoft Office version 4c supports two different modern authentication methods and a basic authentication method for working with Office 365 organizations.
Depending on your Office 365 tenant configuration and the restrictions on using legacy authentication protocols, you can use one of the following authentication methods:
- Modern authentication
- Modern authentication with legacy authentication protocols
- Basic authentication
These authentication types require different sets of permissions to be configured.
Configure permissions required for organizations with modern authentication
Veeam service account permissions
Veeam service account you are going to use should have a Global Administrator role.
Azure AD Application permissions
You can either allow Veeam Backup for Office 365 to create the Azure AD application and all the required application permissions will be granted automatically:
https://helpcenter.veeam.com/docs/vbo365/guide/register_ad_application.html?ver=40#cna
Or you can create an Azure AD application manually: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
And then configure the permissions in accordance with "Veeam Backup for Microsoft Office 365 Version 4c" section of this User Guide page: https://helpcenter.veeam.com/docs/vbo365/guide/azure_ad_applications.html?ver=40
Configure permissions required for organizations with modern authentication and legacy authentication protocols
Before configuring permissions below, make sure that Security Defaults are disabled in your Office 365 tenant:
And Conditional Access policies are not blocking legacy authentication protocols for the Veeam service account:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/
Veeam service account permissions
Exchange
Configuring permissions for Exchange Online.
- Create a role group in the Exchange Admin Center: https://outlook.office365.com/ecp/ as explained here: https://docs.microsoft.com/en-us/exchange/permissions/role-groups?view=exchserver-2019#use-the-eac-to-create-a-role-group
- Add Roles specified in this User Guide page: https://helpcenter.veeam.com/docs/vbo365/guide/permisisons_exchange.html?ver=40
- Add the Veeam Service account to role group members and save the role group.
- Connect to Exchange Online PowerShell module: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-p and run the "Get-AuthenticationPolicy" command.
- If there is a blank return then there is no policy in place and you need to configure one.
- If the current policy does not have "true" for AllowBasicAuthPowershell and AllowBasicAuthWebService contact your Domain admins to update the policy with the following Microsoft document: https://docs.microsoft.com/en-us/powershell/module/exchange/set-authenticationpolicy?view=exchange-ps
Below you may see the example of PowerShell cmdlets you could use to configure a new authentication policy with enabled AllowBasicAuthPowershell and AllowBasicAuthWebService for the Veeam service account.
To create a new authentication policy named "Allow Basic Auth":
New-AuthenticationPolicy -Name "Allow Basic Auth"Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthPowershell
Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthWebServiceSet-User -Identity <UserIdentity> -AuthenticationPolicy "Allow Basic Auth"Where is the Veeam service account.
SharePoint
Configuring Permissions for SharePoint Online.
- Grant Veeam service account with the SharePoint Administrator Role in Azure Admin Center: https://admin.microsoft.com/
- In the SharePoint Admin Center open [Policies] > [Access control] and set "Apps that don't use modern authentication" to "Allow Access".
App password
Configuring user App password.
- Set up Veeam service account user to leverage Multi-Factor Authentication: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?
- Make sure users are allowed to create app passwords: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-app-passwords#allow-users-to-create-app-passwords
- Sign-in to https://portal.office.com using Veeam service account credentials and create app password as explained here: https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords#create-and-delete-app-passwords-using-the-office-365-portal
Azure AD Application permissions
Configuring Azure AD Application.
- Register a new application in Azure AD as explained here: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
- Go to API permissions and click [Add a permission].
- Configure the permissions in accordance with "Veeam Backup for Microsoft Office 365 Version 4" section of this User Guide page: https://helpcenter.veeam.com/docs/vbo365/guide/azure_ad_applications.html?ver=40
All permissions must have Application type.
For more information about permission types please visit https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
- After all API permissions have been added you will need to grant admin consent.
- Select [Certificates & secrets] and [+New client secret].
- Add a Description> Choose Expiration> Add.
- Copy the Client's secret value.
- Go to Overview and copy the Application (client) ID.
Configure permissions required for organizations with basic authentication
Exchange
Exchange permissions should be configured the same way as in the Exchange section of this article.
SharePoint
SharePoint permissions should be configured the same way as in SharePoint section of this article.
Couldn't find what you were looking for?
Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!
Spelling error in text
Do you have an issue or need post-sales technical assistance?
*if you need help choosing the right product, please select "Sales" chat
Do you need guidance on the website, upgrade hints or help with your licenses/accounts?
Questions regarding your Veeam contract renewal? Contact us and learn how you can maximize your savings
Do you need additional license, pricing details, product information or have any other sales-related question?
Would you like to become our partner or do you need assistance as our existing partner?
We apologize, but this chat is not available at the moment
We apologize, but this chat is not available at the moment
We apologize, but this chat is not available at the moment
We apologize, but this chat is not available at the moment
Veeam representative will get back to you shortly.
