Backup Jobs with Public Folders fail

KB ID:
3093
Product:
Veeam Backup for Microsoft Office 365
Version:
2.x, 3.x, 4.x
Published:
Last Modified:
2020-01-23

Challenge

The following error occurs when backing up public folders: "Processing mailbox PublicFolderMailbox@xxxxxxxx.onmicrosoft.com failed with error: Failed to synchronize item changes in folder: FOLDERNAME.. Access is denied. Check credentials and try again., ICS synchronization failed.".
 

Log files may contain the following information:
 
20.12.2012 07:55:14 16 (1448) Processing mailbox:  PublicFolderMailbox@xxxxxxxx.onmicrosoft.com...
20.12.2012 07:55:14 16 (1448) Syncing folder items: FOLDERNAME...
20.12.2012 07:55:14 16 (1448) Exchange Web Services error code: ErrorAccessDenied
20.12.2012 07:55:14 16 (1448) Error: Failed to synchronize item changes in folder: FOLDERNAME.
20.12.2012 07:55:14 16 (1448) Type: Veeam.Ews.Internal.ExServerCodeException


In addition, Veeam Explorer for Exchange may fail to show successfully backed-up public folders.

Cause

Either of the following conditions may cause the error:

  • Public folders are not located under the IPM_SUBTREE folder.
  • The Default user does not have permissions to access public folders.

Solution

The Public Folder is not Located Under IPM_SUBTREE

Veeam Backup for Microsoft Office 365 works with public folders located under the IPM_SUBTREE folder only. Other locations such as, for example, NON_IPM_SUBTREE are not supported.
To check if the public folder is located under the IPM_SUBTREE folder, run the following cmdlet and specify credentials used in Veeam Backup for Microsoft Office 365.
$creds = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection
Import-PSSession $Session
Get-PublicFolder -Identity \ -Recurse | Format-List Name
Remove-PSSession $session


An output similar to the following must be displayed:
 

Name : IPM_SUBTREE
Name : PublicFolderMailbox@*********.onmicrosoft.com
Name : FOLDERNAME
Name : Second Sub Folder
Name : Third Sub Folder

If, according to the output above, a public folder is located under the IPM_SUBTREE folder, no additional actions are needed. Otherwise, if the public folder is located under any other unsupported folder, make sure to move such a public folder to IPM_SUBTREE.

The Default User Does Not Have Sufficient Permissions

Veeam Backup for Microsoft Office 365 uses impersonation to back up public folders. When a public folder is created, it automatically inherits permissions from its parent folder. One of these permissions is assigned to the Default user and grants the Author access rights. In case when an Exchange administrator revokes granted permissions from the Default user, impersonation cannot be performed.

In case you do not want the Default user to have access to public folders and want to use the service account instead, make sure to assign either the Owner or Reviewer permissions to each of the public folders of the service account.

To see the accounts that have access to public folders and the permissions given, run the following cmdlet and specify credentials used in Veeam Backup for Microsoft Office 365.
$creds = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection

Import-PSSession $Session

Get-PublicFolder \ -Recurse | 
    Get-PublicFolderClientPermission | 
    Select-Object Identity,@{Expression={$_.User};Label="User";},@{Expression={$_.AccessRights};Label="AccessRights";} | 
    Export-Csv C:\PublicFolderClientPermission.csv

Remove-PSSession $session

The cmdlet saves information about users and permissions to the C:\PublicFolderClientPermission.csv file.
User-added image

To grant access, you can do either of the following:
  • Assign either the Owner or Reviewer permission to each of the public folders (and sub-folders) of the Default user.
  • Add your service account to public folders with the Owner or Reviewer permissions, and disable impersonation.
To assign permissions, run the following cmdlet and specify credentials used in Veeam Backup for Microsoft Office 365.
$creds = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection

Import-PSSession $Session

$folders = get-publicfolder "\" -recurse

foreach($folder in $folders)
{
Add-PublicFolderClientPermission -Identity $folder.identity -user YourServiceAccount@*******.onmicrosoft.com -AccessRights Reviewer
}

Remove-PSSession $session

NOTE: It is recommended to use PowerShell to assign permissions to public folders.

The following table shows an example of users permissions after the cmdlet is executed.
User-added image

Once the cmdlet is executed, make sure to disable impersonation for the service account. After impersonation is disabled, the service account will have direct access to public folders.

To disable impersonation, do the following:

1.  Open the Veeam Backup for Microsoft Office 365 console and stop active backup jobs (if any).
2.  Open the Services.msc console on a proxy server that is responsible for processing public folders.
To find out which proxy server is used, in the Veeam Backup for Microsoft Office 365 console, right-click a backup job, select Edit and go to the Specify Backup Proxy and Repository step.
3.  In the Services.msc console, stop the Veeam Backup Proxy for Microsoft Office 365 Service.
4.  Create a backup copy of the C:\ProgramData\Veeam\Backup365\Proxy.xml file by copying it to another location.
5.  Open the original Proxy.xml file using any text editor and add the <Source EwsImpersonatePublics="False" /> line between <Veeam><Archiver> tags.
Example:
<Veeam>

    <Archiver>

        <Source EwsImpersonatePublics="False" />

       .....

       .....

     </Archiver>

</Veeam>

6.  Save the Proxy.xml file.
7.  Start the Veeam Backup Proxy for Microsoft Office 365 Service.
8.  Open the Veeam Backup for Microsoft Office 365 console and run backup jobs with public folders.

NOTE: All PowerShell scripts provided above are intended to get and assign needed permissions automatically to ensure that no public folders are missed. 
Please be aware that the commands and parameters may be altered by Microsoft in the future, which may cause thees scripts to function incorrectly. 
There is no support provided for these scripts, and should they fail, we ask that you please contact Microsoft support. 

These scripts may be updated in the future to reflect changes to the Office 365 PowerShell Environment.

More Information

Do not hesitate to contact Veeam support if the error remains.

Please be aware that we’re making changes which will restrict access to product updates for users without an active contract.

OK

Rate the quality of this KB article: 
5 out of 5 based on 1 ratings

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text:

Submit