When you add organization using the modern app-only authentication method, the permissions for Azure AD applications that are granted automatically by Veeam Backup for Microsoft 365.
Anyway, if you prefer to use a custom application of your own, make sure to grant all the permissions as below.
Permissions for Backup
All listed permissions are of the Application type.
Permissions for Restore
To restore data using Azure AD application, make sure that you configure the Azure AD application settings.
Restore Using Device Code Flow
All listed permissions are of the Delegated type and required for data restore using Veeam Explorers.
Restore Using Application Certificate
All listed permissions are of the Application type and required for data restore using Restore Portal and through REST API and PowerShell.
1.Sign in Azure portal with Global Admin account.
2.Search for and select Azure Active Directory.
3.Under Manage, select App registrations.
4.On the App registrations page, select +New registration.
5.On the Register an application page, type VBO365APP as application Name, select Accounts in this organization directory only, click Register.
6.When registration finishes, the Azure portal displays the app registration’s Overview pane. You see the Application (client) ID. Also called the client ID, this value uniquely identifies your application in the Microsoft identity platform, select API permissions.
7.On the Configured permissions page, select +Add permission.
8.On the Request API permissions page, select Microsoft APIs, select Microsoft Graph.
9.On the Microsoft Graph page, select Application permissions.
10.On the Select permission page, expend Directory, select Directory.Read.All.
11.On the Select permission page, expend Group, select Group.Read.All.
12.On the Select permission page, expend TeamSettings, select TeamSettings.ReadWrite.All.
13.On the Select permission page, expand Sites, select Sites.Read.All, click Add permissions.
14.On the Configured permissions page, select +Add permission.
15.On the Request API permissions page, select APIs my organization uses.
16.On the API my organization uses page, search and select Office 365 Exchange Online.
17.On the Office 365 Exchange Online page, select Application permissions.
18.On the Select permission page, expand Other permissions, select full_access_as_app, click Add permissions.
19.On the Configured permissions page, select +Add permission.
20.On the Request API permissions page, select Microsoft APIs, click SharePoint
21.On the SharePoint page, select Application permissions.
22.On the Select permission page, expand Sites, select Sites.FullControl.All.
23.On the Select permission page, expand Users, select User.Read.All, click Add permissions.
24.On the Configured permissions page, select +Add permission.
25.On the Request API permissions page, select Microsoft APIs, select Microsoft Graph.
26.On the Microsoft Graph page, select Delegated permissions.
27.On the Select permission page, expend Directory, select Directory.Read.All.
28.On the Select permission page, expend Group, select Group.Read.All.
29.On the Select permission page, expand Sites, select Sites.Read.All.
30.On the Select permission page, expand OpenId permissions, select offline_access, click Add permissions.
31.On the Configured permissions page, select +Add permission.
32.On the Request API permissions page, select APIs my organization uses.
33.On the API my organization uses page, search and select Office 365 Exchange Online.
34.On the Office 365 Exchange Online page, select Delegated permissions.
35.On the Select permission page, expand EWS, select EWS.AccessAsUser.All, click Add permissions.
36.On the Configured permissions page, select +Add permission.
37.On the Request API permissions page, select Microsoft APIs, click SharePoint.
38.On the SharePoint page, select Delegated permissions.
39.On the Select permission page, expand AllSites, select AllSites.FullControl.
40.On the Select permission page, expand Users, select User.Read.All, click Add permissions.
41.On the Configured permissions page, select +Add permission.
42.On the Request API permissions page, select Microsoft APIs, select Microsoft Graph.
43.On the Microsoft Graph page, select Application permissions.
44.On the Select permission page, expend Group, select Group.ReadWrite.All, click Add permissions.
45.On the Configured permissions page, click Grant admin consent for domain name (in my case is carysun.com).
46.On the Grant admin consent confirmation page, click Yes.
47.Verify status of all APIs without warning.
Create Application secrets (Optional)
We use specify an SSL certificate that you want to use for data exchange between Veeam Backup for Microsoft 365 and an Azure AD application but If you would like to use Application secret on Exchange Online credentials settings of VBO365, you need to create Application secret from Certificate & secrets settings.
1.On the Application page, select Certificates & Security.
2.On the Certificates & secrets page, select Clients secrets.
3.On the Client secrets page, select +New client secret.
4.On the Add a client secret page, enter information for the secret description, select Expires period, click Add.
5.Copy the Value, it will be as the Application secret of VBO settings.
Hope you enjoy this post.
Cary Sun
Twitter: @SifuSun
Web Site: carysun.com
Blog Site: checkyourlogs.net
Blog Site: gooddealmart.com
Author: Cary Sun
Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.
Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun