You are required to provide a username and password to authenticate to your Microsoft 365 organization if you add an organization using the basic authentication or Modern Authentication and Legacy Protocols method.
I won’t recommend adding organization with basic authentication, Microsoft announced that effective October 1, 2022, they will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used.
Backup account permissions requirements:
When you add Microsoft 365 organization using basic authentication, you use Veeam Backup account. Also, you use Veeam Backup account for on-premises Microsoft Exchange and on-premises Microsoft SharePoint organizations.
To provide Veeam Backup for Microsoft 365 with the ability to work with Microsoft Exchange organizations, Microsoft SharePoint and OneDrive for Business organizations, and protect Microsoft Teams data, you must grant the requirement permissions to the Veeam Backup account.
Microsoft Exchange Organizations permissions requirement:
- The account you are using to add an organization must be a member of this organization
- The account you are using to add an organization is not required to have a mailbox in such an organization
- If you are backing up public folder mailboxes, the Veeam Backup account must have a valid Exchange Online license and an active mailbox within the Microsoft 365 organization
Role | Description |
Role Management | Required to grant the ApplicationImpersonation role. |
ApplicationImpersonation | Required to back up Exchange data. |
Organization Configuration | Required to manage role assignments. |
View-Only Configuration | Required to obtain necessary configuration parameters. |
View-Only Recipients | Required to view mailbox recipients. |
Mailbox Search or Mail Recipients | Required to back up groups. |
Owner | Required to backup/restore public folders. |
Microsoft SharePoint and OneDrive for Business permissions requirement:
- On-Premises Microsoft SharePoint Organizations
Role | Description | Misc. | |
Site Collection Administrator | Required to back up Microsoft SharePoint Sites. | The account must be a member of the Farm Administrator group. |
- Microsoft SharePoint Online Organizations
Role | Description | Misc. | |
SharePoint Admin | Required to back up Microsoft SharePoint Sites. | You can assign the Global Admin role that overrides these roles. | |
View-only Configuration | Required to get a list of available groups and users. | ||
View-Only Recipients |
-
Microsoft Teams
- The account must have a Microsoft 365 license that permits access to Microsoft Teams API. The minimum sufficient license is Microsoft Teams Exploratory experience
- The account must have the Team Administrator role assigned
Note:
- In case you add an organization in Veeam Backup for Microsoft 365 using the modern authentication method with legacy protocols allowed, and specify different accounts to connect to Microsoft Exchange and Microsoft SharePoint, the required license and role must be assigned to the account used to connect to Microsoft SharePoint.
- When backing up Microsoft Teams data in an organization added using the basic authentication, Veeam Backup for Microsoft 365 at first adds a service account to every team and then removes it.
The detail permissions requirement as link.
https://helpcenter.veeam.com/docs/vbo365/guide/permissions_veeam_backup_account.html?ver=60
Azure AD Application Permissions requirement
- Permissions for Modern Authentication and Legacy Protocols
API | Permission name | Exchange Online | SharePoint Online and OneDrive for Business | Microsoft Teams | Description | |||
Microsoft Graph | Directory.Read.All | ✔ | ✔ | ✔ | Querying Azure AD for organization properties, the list of users and groups and their properties. | |||
Group.Read.All | ✔ | ✔ | ✔ | Querying Azure AD for the list of groups and group sites. | ||||
TeamSettings.ReadWrite.All | ✔ | Accessing archived teams. | ||||||
Sites.Read.All | ✔ | Accessing sites of the applications that are installed from the SharePoint store. | ||||||
Office 365 Exchange Online | full_access_as_app | ✔ | ✔ | Reading mailboxes content. | ||||
SharePoint | Sites.FullControl.All | ✔ | ✔ | Reading SharePoint sites and OneDrive accounts content. | ||||
User.Read.All | ✔ | ✔ | Reading OneDrive accounts (getting site IDs). |
1.Login to Veeam Backup for Microsoft 365 Manager server.
2.Open PowerShell as Administrator.
3.In a PowerShell window, run below command, type Y and then press Enter.
Set-ExecutionPolicy RemoteSigned
4.Run below command, type Y and then press Enter.
Install-Module -Name PowerShellGet -Force
5.Run below command to make sure the module is up to dat, type Y and then press Enter.
Update-Module -Name PowerShellGet
Assign Exchange Online permissions to backup service account
6.Run below command to install the latest Exchange Online PowerShell Module, type Y and then press Enter.
Install-Module -Name ExchangeOnlineManagement
7.Run below commands to load the EXO V2 module.
Import-Module ExchangeOnlineManagement
8.Run below commands to connect to ExchangeOnline.
Connect-ExchangeOnline -UserPrincipalName navin@contoso.com.
9.On the sign-in window that opens, enter your password, and then click Sign in.
10.Select your verification Method.
11.Enter the code, click Verify.
12.Run the following cmdlet to grant ApplicationImpersonation role for backup account.
New-ManagementRoleAssignment –Role ApplicationImpersonation –User user.name@domain.com
13.If it happened error message as below, you need to run following command first and then re-run above command.
Enable-OrganizationCustomization
14.Run Below command to obtain the list of users whom the ApplicationImpersonation role has already been granted.
Get-ManagementRoleAssignment -Role "ApplicationImpersonation"
15.Run the following cmdlet to grant Role Management role for backup account.
New-ManagementRoleAssignment –Role "Role Management" –User user.name@domain.com
16.Run Below command to obtain the list of users whom the Role Management role has already been granted.
Get-ManagementRoleAssignment -Role "Role Management"
17.Run the following cmdlet to grant Organization Configuration role for backup account.
New-ManagementRoleAssignment –Role "Organization Configuration" –User user.name@domain.com
18.Run Below command to obtain the list of users whom the Organization Configuration role has already been granted.
Get-ManagementRoleAssignment -Role "Organization Configuration"
19.Run the following cmdlet to grant View-Only Configuration role for backup account.
New-ManagementRoleAssignment –Role "View-Only Configuration" –User user.name@domain.com
20.Run Below command to obtain the list of users whom the View-Only Configuration role has already been granted.
Get-ManagementRoleAssignment -Role "View-Only Configuration"
21.Run the following cmdlet to grant View-Only Recipients role for backup account.
New-ManagementRoleAssignment –Role "View-Only Recipients" –User user.name@domain.com
22.Run Below command to obtain the list of users whom the View-Only Recipient role has already been granted.
Get-ManagementRoleAssignment -Role "View-Only Recipients"
23.Run the following cmdlet to grant Mailbox Search role for backup account.
New-ManagementRoleAssignment –Role "Mailbox Search" –User user.name@domain.com
24.Run Below command to obtain the list of users whom the Mailbox Search role has already been granted.
Get-ManagementRoleAssignment -Role "Mailbox Search"
25.if you are using public folder and would like to backup/restore public folders, you need to assign Owner role to folder permission of public folder.
26.Sign in office365 with global admin account, open office 365 admin center.
27.On the Microsoft 365 admin center page, select Exchange.
28.In the Exchange admin center (EAC), navigate to Public folders.
29.In the list view, select the public folder.
30.In the details pane, under Folder permissions, click Manage.
31.In Public Folder Permissions, click Add +.
32.Click Browse to select a user (backup service account, in my case is VBOBK)
33.In the Permission level list, select a level. At least one user should be an Owner.
34.Click Save.
35.To protect your Microsoft 365 organization data properly when you add an organization using either modern authentication with legacy protocols allowed or basic authentication, Run below commands to create a new authentication policy with the AllowBasicAuthPowershell and AllowBasicAuthWebService parameters enabled for the Veeam Backup account.
New-AuthenticationPolicy -Name “Allow Basic Auth”
Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthPowershell Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthWebService Set-User -Identity <VeeamBackupAccount> -AuthenticationPolicy "Allow Basic Auth"
36.Run below command to back up public folder mailboxes correctly, enable the AllowBasicAuthAutodiscover parameter for the created authentication policy.
Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthAutodiscover
Assign SharePoint Online Permissions to backup service account
37.Run below command to install the latest SharePoint Online PowerShell Module, type Y and then press Enter.
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
38.Run below command to make sure the module is up to dat, type Y and then press Enter.
Update-Module -Name Microsoft.Online.SharePoint.PowerShell
39.Run below commands to connect to SharePoint Online.
Connect-SPOService -Url <a href="https://%3cyour">https://&lt;your</a> tenant id&gt;-admin.sharepoint.com/
40.On the sign-in window, enter the account name, and then click Next.
41.On the Enter Password window, enter password of the account, and then click Sign in.
42.Select your verification Method.
43.Enter the code, click Verify,
44.Run below command to add Microsoft SharePoint Online organizations, make sure that the LegacyAuthProtocolsEnabled setting is enabled.
Set-SPOTenant -LegacyAuthProtocolsEnabled $True
45.Run below command to install the Azure AD Module, type Y and then press Enter..
Install-Module MSOnline
46.Run below commands to connect to Azure AD service.
Connect-MsolService
47.On the sign-in window, enter the account name, and then click Next.
48.On the Enter Password window, enter password of the account, and then click Sign in.
49.Select your verification Method.
50.Enter the code, click Verify,
51.Run below commands to grant the SharePoint Administrator role to backup account (for Microsoft SharePoint Online organizations).
$role=Get-MsolRole -RoleName "SharePoint Administrator" $accountname="example@domain.com" Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name
Configure the App password for backup service account
52.Sign in Office 365 portal with Global Admin account, select Admin.
53.On the Microsoft 365 admin center, expend Users, select Active users.
54.On the Active users page, select Multi-factor authentication.
55.On the multi-factor authentication page, select service settings.
56.On the service settings page, select Allow users to create app password to sign in to non-browser apps, click save and then sign out from office 365 portal.
57.Sign in Office 365 portal with backup service account, select View account.
58.On the My account page, select Security info.
59.On the Security info page, select +Add method.
60.On the Add a Method, select App password, click Add
61.Type VBO365APP as name of App password, click Next.
62.Copy and keep the password in a safe place, It will not be shown again, click Done.
63.Sign out from My account.
Hope you enjoy this post.
Cary Sun
Twitter: @SifuSun
Web Site: carysun.com
Blog Site: checkyourlogs.net
Blog Site: gooddealmart.com
Author: Cary Sun
Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.
Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun