Good Deal Mart
  • FULL BLOG
  • Tech
    • Azure
    • VEEAM
    • Virtual Machines
    • CITRIX
    • Server
    • Office 365
    • DirectAccess
    • Exchange
    • Step By Step
    • CISCO
  • Tutorial
    • CAMTASIA
  • GAMES
  • HOLIDAYS
  • Sports
Good Deal Mart
Skip to content
  • FULL BLOG
  • Tech
    • Azure
    • VEEAM
    • Virtual Machines
    • CITRIX
    • Server
    • Office 365
    • DirectAccess
    • Exchange
    • Step By Step
    • CISCO
  • Tutorial
    • CAMTASIA
  • GAMES
  • HOLIDAYS
  • Sports

How to configure service account permissions required for Veeam Backup for Microsoft Office 365

Cary Sun    April 18, 2022 April 14, 2022    Comments Off on How to configure service account permissions required for Veeam Backup for Microsoft Office 365

You are required to provide a username and password to authenticate to your Microsoft 365 organization if you add an organization using the basic authentication or Modern Authentication and Legacy Protocols method.

I won’t recommend adding organization with basic authentication, Microsoft announced that effective October 1, 2022, they will begin disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. SMTP Auth will also be disabled if it is not being used.

Backup account permissions requirements:

When you add Microsoft 365 organization using basic authentication, you use Veeam Backup account. Also, you use Veeam Backup account for on-premises Microsoft Exchange and on-premises Microsoft SharePoint organizations.

To provide Veeam Backup for Microsoft 365 with the ability to work with Microsoft Exchange organizations, Microsoft SharePoint and OneDrive for Business organizations, and protect Microsoft Teams data, you must grant the requirement permissions to the Veeam Backup account.

Microsoft Exchange Organizations permissions requirement:

  • The account you are using to add an organization must be a member of this organization
  • The account you are using to add an organization is not required to have a mailbox in such an organization
  • If you are backing up public folder mailboxes, the Veeam Backup account must have a valid Exchange Online license and an active mailbox within the Microsoft 365 organization
Role Description
Role Management Required to grant the ApplicationImpersonation role.
ApplicationImpersonation Required to back up Exchange data.
Organization Configuration Required to manage role assignments.
View-Only Configuration Required to obtain necessary configuration parameters.
View-Only Recipients Required to view mailbox recipients.
Mailbox Search or Mail Recipients Required to back up groups.
Owner Required to backup/restore public folders.

Microsoft SharePoint and OneDrive for Business permissions requirement:

  • On-Premises Microsoft SharePoint Organizations
Role Description Misc.
Site Collection Administrator Required to back up Microsoft SharePoint Sites. The account must be a member of the Farm Administrator group.
  • Microsoft SharePoint Online Organizations
Role Description Misc.
SharePoint Admin Required to back up Microsoft SharePoint Sites. You can assign the Global Admin role that overrides these roles.
View-only Configuration Required to get a list of available groups and users.
View-Only Recipients
  • Microsoft Teams
    • The account must have a Microsoft 365 license that permits access to Microsoft Teams API. The minimum sufficient license is Microsoft Teams Exploratory experience
    • The account must have the Team Administrator role assigned

Note:

  • In case you add an organization in Veeam Backup for Microsoft 365 using the modern authentication method with legacy protocols allowed, and specify different accounts to connect to Microsoft Exchange and Microsoft SharePoint, the required license and role must be assigned to the account used to connect to Microsoft SharePoint.
  • When backing up Microsoft Teams data in an organization added using the basic authentication, Veeam Backup for Microsoft 365 at first adds a service account to every team and then removes it.

The detail permissions requirement as link.

https://helpcenter.veeam.com/docs/vbo365/guide/permissions_veeam_backup_account.html?ver=60

Azure AD Application Permissions requirement

  • Permissions for Modern Authentication and Legacy Protocols
API Permission name Exchange Online SharePoint Online and OneDrive for Business Microsoft Teams Description
Microsoft Graph Directory.Read.All ✔ ✔ ✔ Querying Azure AD for organization properties, the list of users and groups and their properties.
Group.Read.All ✔ ✔ ✔ Querying Azure AD for the list of groups and group sites.
TeamSettings.ReadWrite.All ✔ Accessing archived teams.
Sites.Read.All ✔ Accessing sites of the applications that are installed from the SharePoint store.
Office 365 Exchange Online full_access_as_app ✔ ✔ Reading mailboxes content.
SharePoint Sites.FullControl.All ✔ ✔ Reading SharePoint sites and OneDrive accounts content.
User.Read.All ✔ ✔ Reading OneDrive accounts (getting site IDs).

1.Login to Veeam Backup for Microsoft 365 Manager server.

2.Open PowerShell as Administrator.

3.In a PowerShell window, run below command, type Y and then press Enter.


Set-ExecutionPolicy RemoteSigned

041422 1548 Howtoconfig1 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

4.Run below command, type Y and then press Enter.


Install-Module -Name PowerShellGet -Force

041422 1548 Howtoconfig2 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

5.Run below command to make sure the module is up to dat, type Y and then press Enter.


Update-Module -Name PowerShellGet

041422 1548 Howtoconfig3 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

Assign Exchange Online permissions to backup service account

6.Run below command to install the latest Exchange Online PowerShell Module, type Y and then press Enter.


Install-Module -Name ExchangeOnlineManagement

041422 1548 Howtoconfig4 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

7.Run below commands to load the EXO V2 module.


Import-Module ExchangeOnlineManagement

041422 1548 Howtoconfig5 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

8.Run below commands to connect to ExchangeOnline.


Connect-ExchangeOnline -UserPrincipalName navin@contoso.com.

041422 1548 Howtoconfig6 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

9.On the sign-in window that opens, enter your password, and then click Sign in.

041422 1548 Howtoconfig7 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

10.Select your verification Method.

041422 1548 Howtoconfig8 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

11.Enter the code, click Verify.

041422 1548 Howtoconfig9 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

12.Run the following cmdlet to grant ApplicationImpersonation role for backup account.


New-ManagementRoleAssignment –Role ApplicationImpersonation –User user.name@domain.com

041422 1548 Howtoconfig10 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

13.If it happened error message as below, you need to run following command first and then re-run above command.


Enable-OrganizationCustomization

041422 1548 Howtoconfig11 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

14.Run Below command to obtain the list of users whom the ApplicationImpersonation role has already been granted.


Get-ManagementRoleAssignment -Role "ApplicationImpersonation"

041422 1548 Howtoconfig12 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

15.Run the following cmdlet to grant Role Management role for backup account.


New-ManagementRoleAssignment –Role "Role Management" –User user.name@domain.com

041422 1548 Howtoconfig13 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

16.Run Below command to obtain the list of users whom the Role Management role has already been granted.


Get-ManagementRoleAssignment -Role "Role Management"

041422 1548 Howtoconfig14 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

17.Run the following cmdlet to grant Organization Configuration role for backup account.


New-ManagementRoleAssignment –Role "Organization Configuration" –User user.name@domain.com

041422 1548 Howtoconfig15 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

18.Run Below command to obtain the list of users whom the Organization Configuration role has already been granted.


Get-ManagementRoleAssignment -Role "Organization Configuration"

041422 1548 Howtoconfig16 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

19.Run the following cmdlet to grant View-Only Configuration role for backup account.


New-ManagementRoleAssignment –Role "View-Only Configuration" –User user.name@domain.com

041422 1548 Howtoconfig17 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

20.Run Below command to obtain the list of users whom the View-Only Configuration role has already been granted.


Get-ManagementRoleAssignment -Role "View-Only Configuration"

041422 1548 Howtoconfig18 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

21.Run the following cmdlet to grant View-Only Recipients role for backup account.


New-ManagementRoleAssignment –Role "View-Only Recipients" –User user.name@domain.com

041422 1548 Howtoconfig19 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

22.Run Below command to obtain the list of users whom the View-Only Recipient role has already been granted.


Get-ManagementRoleAssignment -Role "View-Only Recipients"

041422 1548 Howtoconfig20 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

23.Run the following cmdlet to grant Mailbox Search role for backup account.


New-ManagementRoleAssignment –Role "Mailbox Search" –User user.name@domain.com

041422 1548 Howtoconfig21 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

24.Run Below command to obtain the list of users whom the Mailbox Search role has already been granted.


Get-ManagementRoleAssignment -Role "Mailbox Search"

041422 1548 Howtoconfig22 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

25.if you are using public folder and would like to backup/restore public folders, you need to assign Owner role to folder permission of public folder.

26.Sign in office365 with global admin account, open office 365 admin center.

041422 1548 Howtoconfig23 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

27.On the Microsoft 365 admin center page, select Exchange.

041422 1548 Howtoconfig24 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

28.In the Exchange admin center (EAC), navigate to Public folders.

29.In the list view, select the public folder.

041422 1548 Howtoconfig25 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

30.In the details pane, under Folder permissions, click Manage.

31.In Public Folder Permissions, click Add +.

32.Click Browse to select a user (backup service account, in my case is VBOBK)

33.In the Permission level list, select a level. At least one user should be an Owner.

34.Click Save.

35.To protect your Microsoft 365 organization data properly when you add an organization using either modern authentication with legacy protocols allowed or basic authentication, Run below commands to create a new authentication policy with the AllowBasicAuthPowershell and AllowBasicAuthWebService parameters enabled for the Veeam Backup account.

New-AuthenticationPolicy -Name “Allow Basic Auth”

041422 1548 Howtoconfig26 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365


Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthPowershell

Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthWebService

Set-User -Identity <VeeamBackupAccount> -AuthenticationPolicy "Allow Basic Auth"

041422 1548 Howtoconfig27 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

36.Run below command to back up public folder mailboxes correctly, enable the AllowBasicAuthAutodiscover parameter for the created authentication policy.


Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthAutodiscover

041422 1548 Howtoconfig28 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

Assign SharePoint Online Permissions to backup service account

37.Run below command to install the latest SharePoint Online PowerShell Module, type Y and then press Enter.


Install-Module -Name Microsoft.Online.SharePoint.PowerShell

041422 1548 Howtoconfig29 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

38.Run below command to make sure the module is up to dat, type Y and then press Enter.


Update-Module -Name Microsoft.Online.SharePoint.PowerShell

041422 1548 Howtoconfig30 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

39.Run below commands to connect to SharePoint Online.


Connect-SPOService -Url <a href="https://%3cyour">https://<your</a> tenant id>-admin.sharepoint.com/

041422 1548 Howtoconfig31 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

40.On the sign-in window, enter the account name, and then click Next.

041422 1548 Howtoconfig32 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

41.On the Enter Password window, enter password of the account, and then click Sign in.

041422 1548 Howtoconfig33 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

42.Select your verification Method.

041422 1548 Howtoconfig34 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

43.Enter the code, click Verify,

041422 1548 Howtoconfig35 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

44.Run below command to add Microsoft SharePoint Online organizations, make sure that the LegacyAuthProtocolsEnabled setting is enabled.


Set-SPOTenant -LegacyAuthProtocolsEnabled $True

041422 1548 Howtoconfig36 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

45.Run below command to install the Azure AD Module, type Y and then press Enter..


Install-Module MSOnline

041422 1548 Howtoconfig37 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

46.Run below commands to connect to Azure AD service.


Connect-MsolService

041422 1548 Howtoconfig38 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

47.On the sign-in window, enter the account name, and then click Next.

041422 1548 Howtoconfig39 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

48.On the Enter Password window, enter password of the account, and then click Sign in.

041422 1548 Howtoconfig40 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

49.Select your verification Method.

041422 1548 Howtoconfig41 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

50.Enter the code, click Verify,

041422 1548 Howtoconfig42 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

51.Run below commands to grant the SharePoint Administrator role to backup account (for Microsoft SharePoint Online organizations).


$role=Get-MsolRole -RoleName "SharePoint Administrator"

$accountname="example@domain.com"

Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name

041422 1548 Howtoconfig43 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

Configure the App password for backup service account

52.Sign in Office 365 portal with Global Admin account, select Admin.

041422 1548 Howtoconfig44 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

53.On the Microsoft 365 admin center, expend Users, select Active users.

041422 1548 Howtoconfig45 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

54.On the Active users page, select Multi-factor authentication.

041422 1548 Howtoconfig46 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

55.On the multi-factor authentication page, select service settings.

041422 1548 Howtoconfig47 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

56.On the service settings page, select Allow users to create app password to sign in to non-browser apps, click save and then sign out from office 365 portal.

041422 1548 Howtoconfig48 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

57.Sign in Office 365 portal with backup service account, select View account.

041422 1548 Howtoconfig49 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

58.On the My account page, select Security info.

041422 1548 Howtoconfig50 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

59.On the Security info page, select +Add method.

041422 1548 Howtoconfig51 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

60.On the Add a Method, select App password, click Add

041422 1548 Howtoconfig52 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

61.Type VBO365APP as name of App password, click Next.

041422 1548 Howtoconfig53 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

62.Copy and keep the password in a safe place, It will not be shown again, click Done.

041422 1548 Howtoconfig54 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

63.Sign out from My account.

041422 1548 Howtoconfig55 - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

Hope you enjoy this post.

Cary Sun

Twitter: @SifuSun

Web Site: carysun.com

Blog Site: checkyourlogs.net

Blog Site: gooddealmart.com

ca16fbd3199de5f66b829b87082fb970?s=80&d=retro&r=g - How to configure service account permissions required for Veeam Backup for Microsoft Office 365

Author: Cary Sun

Cary Sun is an Principal Consultant, He has a strong background specializing in datacenter and deployment solutions, and has spent over 20 years in the planning, design, and implementation of network technologies and Management and system integration.He hold CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1997.Cary is also a Microsoft Most Valuable Professional (MVP) and Cisco Champion, He is a published author with serveral titles, include blogs on Checkyourlogs.net, author for many books. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA
Blog:
http://www.carysun.com http://www.checkyourlogs.net
Twitter:@SifuSun

Related

FULL BLOG, VEEAM    How to, Microsoft, Microsoft Office 365, service account, VEEAM, Veeam Backup for Microsoft Office 365

About Cary Sun

Cary Sun is an Principal Consultant, He has a strong background specializing in datacenter and deployment solutions, and has spent over 20 years in the planning, design, and implementation of network technologies and Management and system integration.He hold CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1997.Cary is also a Microsoft Most Valuable Professional (MVP) and Cisco Champion, He is a published author with serveral titles, include blogs on Checkyourlogs.net, author for many books. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA Blog: http://www.carysun.com http://www.checkyourlogs.net Twitter:@SifuSun

View all posts by Cary Sun →

Post navigation

How to add organization with Modern app-only authentication and register a new Azure AD application automically for Veeam Backup for Microsoft Office 365
How to configure Azure AD Application Permissions for Modern App-Only Authentication of Veeam Backup for Microsoft 365

Help Keeping The Website Alive and Running!





SUBSCRIBE TO OUR BLOG

Loading

The Community

CISCO CERTIFICATE

MICROSOFT AWARD

VEEAM AWARD

CISCO AWARD

Follow @Sifusun on twitter!

Cary Sun MVP πŸ‡¨πŸ‡¦ Follow

CISCO CCIE#4531 | Cisco Champion 2018-2019 | Microsoft Cloud and Datacenter Management MVP | Citrix CCP | Veeam Vanguard

SifuSun
sifusun Cary Sun MVP πŸ‡¨πŸ‡¦ @sifusun ·
11h

How to add the network attached storage (SMB shares) as a backup repository in Veeam Backup for Microsoft 365 v6 https://carysun.com/how-to-add-the-network-attached-smb-shares-as-a-backup-repository-in-veeam-backup-for-microsoft-365-v6/ #Veeam #Vanguard #Microsoft #MVPbuzz #Microsoft365

Reply on Twitter 1619407475509428224 Retweet on Twitter 1619407475509428224 1 Like on Twitter 1619407475509428224 2 Twitter 1619407475509428224
Retweet on Twitter Cary Sun MVP πŸ‡¨πŸ‡¦ Retweeted
madicristil Madalina Cristil @madicristil ·
23h

Recap #105 πŸˆπŸ’š is available at http://community.veeam.com - sneak peak- we are talking V12 launch happening on 14th of February! Don't miss on that! @dannyallan5 @anandeswaran @gostev @RickVanover will share great content! https://community.veeam.com/news-56/veeam-community-recap-105-4069

Reply on Twitter 1619236644955262976 Retweet on Twitter 1619236644955262976 5 Like on Twitter 1619236644955262976 16 Twitter 1619236644955262976
sifusun Cary Sun MVP πŸ‡¨πŸ‡¦ @sifusun ·
27 Jan

How to add a backup proxy server’s local directory as a backup repository in Veeam Backup for Microsoft 365 v6.0 https://carysun.com/how-to-add-a-backup-proxy-servers-local-directory-as-a-backup-repository-in-veeam-backup-for-microsoft-365-v6-0/ #veeam #veeamzing #community
#Vanguard #Microsoft365 #Microsoft

Reply on Twitter 1619014945676627971 Retweet on Twitter 1619014945676627971 Like on Twitter 1619014945676627971 Twitter 1619014945676627971
sifusun Cary Sun MVP πŸ‡¨πŸ‡¦ @sifusun ·
26 Jan

How to upgrade Server 2012 R2 generation 1 VM to 2019 (2022) generation 2 https://carysun.com/how-to-upgrade-server-2012-r2-generation-1-vm-to-2019-2022-generation-2/ #mvpbuzz #Microsoft

Reply on Twitter 1618687354042191873 Retweet on Twitter 1618687354042191873 1 Like on Twitter 1618687354042191873 2 Twitter 1618687354042191873
sifusun Cary Sun MVP πŸ‡¨πŸ‡¦ @sifusun ·
24 Jan

For environments using a Hyper-V host running Server 2012 R2, there is only one option: Application-Aware Processing must be enabled within the backup or replication job(s), and it must successfully process the VMs.
https://www.veeam.com/kb4377?utm_source=feedotter&utm_medium=email&utm_campaign=FO-01-24-2023&utm_content=httpswwwveeamcomkb4377

Reply on Twitter 1617940841812885504 Retweet on Twitter 1617940841812885504 Like on Twitter 1617940841812885504 Twitter 1617940841812885504
Load More

Tags

2FA60 fps10001000 visitors1327.Invalid Drive201720182019Access DeniedAccess is DeniedAccessPressActivateActive Directoryactive directory SyncActiveSyncAdADCAD DCaliasesA lot

Archives

  • January 2023
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • November 2018
  • October 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
Ribosome by GalussoThemes.com
Powered by WordPress