[Guide] Veeam Backup for Microsoft Office 365 - Security Notifications for each Restore operation


Userlevel 7
Badge +6

Greetings friends, some time ago I wrote about how to enable these notifications for Veeam Backup for Microsoft 365, it was a success, and very simple until Microsoft, and Google, disabled the normal SMTP on TLS, so many people ended with these notifications broken due the force of OAuth.

Since Veeam Backup for Microsoft 365 v7, you can configure OAuth on the Console, for regular email notifications. But the Audit Email Settings configuration API wasn’t that trivial andeasy to setup, until today. We will go step by step, so you can have those Audit operations working again. Let’s go.

Recommended – All Automated!

Please come here to find everything automated:

You will find there two scripts to make your life easier with this.

Audit Diagram in Veeam Backup for Microsoft 365

Before we start with the subject, I think a diagram about how all these works can help us better understand what we are going to do, and activate:

How to Enable the Email Notification of the Audited items – OAuth

First step: PrepareOAuthSignIn

This configuration is done through RESTful API, once we got Bearer and we are authorized. We will go now to AuditEmailSettings, and we will see the next operations, we will select the first POST, PrepareOAuthSignIn:

We will need to paste the next payload in the textbox, and click Try it out!

{
"authenticationServiceKind": "Microsoft365",
"redirectUrl": "http://localhost/"
}

The result of the query, if all goes well should be Response Code: 200 with the next Body:

{
"requestId": "VERYLONGREQUESTID",
"signInUrl": "https://login.microsoftonline.com/YOURTENANTID/oauth2/v2.0/authorize?client_id=YOURCLIENTID&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2F&response_mode=query&prompt=consent&nonce=SOMELONGSTUFF&scope=openid%20offline_access%20email%20Mail.Send&state=VERYLONGREQUESTID"
}

Great! That worked. So at least we know that PrepareOAuthSignIn is working.

Second step: CompleteOAuthSignIn

We are close to the end, but now we need to take that signInUrl from the previous response and open it on a web browser, it will ask us to login with an user that has privileges in our tenant, very traditional procedure:

As we have selected localhost as URL, after succesful login it will redirect to a 404 page, which URL is the next:

http://localhost/?code=0.EXTREMELYLONGSTUFF&state=NOTTHATLONGBUTLONGSTUFF&session_state=SOMELESSLONGSTUFF#

It is very simple for you to see here the different values, but on the real-world, this URL it will be extremely long, so I recommend you to take it to a notepad and look for the character &, so basically we need from this URL the next:

  • code: 0.EXTREMELYLONGSTUFF
  • state: NOTTHATLONGBUTLONGSTUFF

Alright, we are ready to finally open the endpoint and pass the next payload:

{
"code": "0.EXTREMELYLONGSTUFF",
"state": "NOTHTATLONGBUTLONGSTUFF"
}

The result of the query, if all goes well should be Response Code: 200 with the next Body:

{
"requestId": "VERYLONGREQUESTGOODSTUFF",
"userId": "jorge.delacruz@jorgedelacruz.es"
}

Take note of those two values, we will need them. Very great work so far!

Third and final step: PUT AuditEmailSettings

That was long, hopefully you are still here, as the last thing to do is open the PUT AuditEmailSettings and pass the next payload. I will recommend the TO: to be a DL where multiple Audit Operators receive everything happening in the VB365 Restore Operations, very simple at the end, right:

{
"enableNotification": true,
"from": "jorge.delacruz@jorgedelacruz.es",
"to": "jorge.delacruz@jorgedelacruz.es",
"subject": "Audit",
"authenticationType": "Microsoft365",
"userId": "jorge.delacruz@jorgedelacruz.es",
"requestId": "VERYLONGREQUESTGOODSTUFF"
}

The result of the query, if all goes well should be Response Code: 200, and no content. But on your destination TO: email address you will receive the next email:

All good, for now! At least the email traffic flow configuration is working.

LEGACY: But I am using normal SMTP!

Good, then you just need to do the next on the PUT AuditEmailSettings:

{
"enableNotification": true,
"smtpServer": "smtp.office365.com",
"port": 587,
"useAuthentication": true,
"username": "YOURUSER@DOMAIN.COM",
"userPassword": "YOURPASS",
"useSSL": true,
"from": "veeam@DOMAIN.COM",
"to": "veeam@DOMAIN.COM",
"subject": "VBO Audit - %StartTime% — %OrganizationName% - %DisplayName% - %Action% - %InitiatedByUserName%"
}

How to Enable Auditing of protected items with Veeam Backup for Microsoft 365

We have all the help and official information in the following link, but it is really very simple, if we look at the diagram above, we will see that to receive notifications, we must first select the items we want to audit. We have two types that we can audit, the Users (Exchange Mailboxes, Shared Mailboxes, OneDrive for Business, etc.), and the Groups (SharePoint and Teams).

To start making a deeper visualization of what happens of one or the other, we have to know the ID, and the name of what we want to audit, we will see the example with a User, we will have to go first to Organizations, since we need to know our Organization ID, from our swagger – https://YOURVB365:4443 and you do the Auth at the end of the page to obtain the token, then on the top to login, then you go to Organizations, expand the GET, and click on Try it out, you will see something similar to this:

Now that we know our Organization ID, we will go to OrganizationUser and expand the GET, where we ask for the Organization ID, once we paste it we give Try it out!

This will give us back all the users, in my case in which I want to enable the audit is Jorge de la Cruz, so the relevant data are the following: ID, displayName, and name

We are almost there! We will finally go to OrganizationAudit, and in the AuditItems POST, we will introduce our Organization ID, and the following code with the user, or users, or groups. It is a .json, so at once we can add as many components as we want:

[
{
"type": "user",
"user": {
"id": "jorgedelacruz.onmicrosoft.com:00000000-0000-0000-0000-000000000000:00000000-0000-0000-0000-000000000000:291b10fd-bb83-4e51-9365-302f403234a8:00000000-0000-0000-0000-000000000000",
"displayName": "Jorge de la Cruz",
"name": "jorge.delacruz@jorgedelacruz.es",
}
}
]

The result would have to be something like this, we will hit the Try it out button as always, we will have to receive a 200 to know that everything has gone well:

If we wanted to check that everything has been added in a satisfactory way, very quickly we go to the GET of AutidItems, and check what we have:

We see that everything has gone well and we have our users, this would help us to check which users and groups we are auditing.

We already have everything ready. What is left for us? Open the Veeam Explorers and start playing.

A Real-Life Example of Audit being sent in Real-Time

As I say, no matter if we open the Explorer from the server, or from a Tenant, or from another PC, any element that we open, restore, or export, the relevant security email will be sent so that everything is audited, for example:

I have opened an Exchange Explorer, and in a user where the audit is enabled I have View an email to browse it:

I immediately received this message on my security account where I am auditing who does what and when:

Now I have decided to export an email to my computer as .msg:

I have immediately received this message in my security account where I am auditing who does what and when, and in this case where I have exported the item:

I leave you another example, this time of restoration of OneDrive for Business:

This is very, very powerful, and will surely give us a lot of play in the near future. I hope you find it useful, thank you very much for reading.


12 comments

Userlevel 7
Badge +6

Excellent Jorge !! great content….:ok_hand_tone3:

Userlevel 4
Badge +1

Thanks for sharing Jorge - This is going to be very useful for many customers meet those audit requirements

Userlevel 4
Badge +6

Another great article mate! Good work.

Userlevel 7
Badge +11

Very in-depth @jorge.delacruz, tempted to say “as always”. Love the effort you put into these posts.

Userlevel 7
Badge +12

Awesome @jorge.delacruz ! Thank you for this article !

Userlevel 7
Badge +17

Great article, thanks for sharing @jorge.delacruz 

Userlevel 7
Badge +1

Thank you for this article 

Userlevel 6
Badge +1

I have developed a habit of bookmarking your posts. Great stuff man!

Userlevel 7
Badge +6

Hello guys,

So, just the other day I’ve presented a topic around this very topic, I am attaching it to the post, in case somebody found useful to see somebody explaining it step by step, a diagram, the why, etc.

Thanks so much!

Is it possible to enable auditing on all users and groups without needed to manually add the ID, displayName, and name for each user/group? Something like a wildcard json entry or something?

Also is there a way to ensure new users/groups get automatically added to OrganizationAudit > AuditItems POST?

Thank you!

Userlevel 7
Badge +10

Is it possible to enable auditing on all users and groups without needed to manually add the ID, displayName, and name for each user/group? Something like a wildcard json entry or something?

Also is there a way to ensure new users/groups get automatically added to OrganizationAudit > AuditItems POST?

Thank you!

 Hey, Jorge! This was a great solution. I was wondering if the question above was answered? Is it possible to audit a whole organization? It would be another administration task if items (users and groups) had to be manually added.

Is it possible to enable auditing on all users and groups without needed to manually add the ID, displayName, and name for each user/group? Something like a wildcard json entry or something?

Also is there a way to ensure new users/groups get automatically added to OrganizationAudit > AuditItems POST?

Thank you!

 Hey, Jorge! This was a great solution. I was wondering if the question above was answered? Is it possible to audit a whole organization? It would be another administration task if items (users and groups) had to be manually added.

 

​​​​​I have the same issue, I would like to know if it’s possible to audit the whole org rather than manually have to add each new user. Anyone found a way to achieve this?

 

Thanks

Comment