[New] Veeam Backup for Microsoft Office 365 v5 - Security Notifications for each Restore operation

Userlevel 7
Badge +2

Greetings friends, Veeam Backup for Microsoft Office 365 v5 was released very recently, and among many new functionalities like Microsoft Teams Protection and Scalability enhancements, I have seen that there are certain advanced functionalities that can be performed using RESTful API. It is not the first time that the development team of this product launches API functionalities that later move to the graphic part in case there is good acceptance.

In particular, the one we are going to focus on today, is a functionality that has been requested for a long time, it is about receiving an email notification for each restoration operation that is performed on the elements where the audit is enabled.


Audit Diagram in Veeam Backup for Microsoft Office 365 v5

Before we start with the subject, I think a diagram about how all this works can help us better understand what we are going to do, and activate:


How to Enable Auditing of protected items with Veeam Backup for Microsoft Office 365 v5

We have all the help and official information in the following link, but it is really very simple, if we look at the diagram above, we will see that to receive notifications, we must first select the items we want to audit. We have two types that we can audit, the Users (Exchange Mailboxes, Shared Mailboxes, OneDrive for Business, etc.) and the Groups (SharePoint and Teams).

To begin to make a deeper visualization of what happens of one or the other, we have to know the ID, and the name of what we want to audit, we will see the example with a User, we will have to go first to Organizations, since we need to know our Organization ID, from our swagger - https://YOURVBO:4443/swagger and you do the Auth at the end of the page to obtain the token, then on the top to login, then you go to Organizations, expand the GET, and click on Try it out, you will see something similar to this:

Now that we know our Organization ID, we will go to OrganizationUser and expand the GET, where we ask for the Organization ID, once we paste it we give Try it out!

This will give us back all the users, in my case in which I want to enable the audit is Jorge de la Cruz, so the relevant data are the following: ID, displayName, and name

We are almost there! We will finally go to OrganizationAudit, and in the AuditItems POST, we will introduce our Organization ID, and the following code with the user, or users, or groups. It is a .json, so at once we can add as many components as we want:

  "type": "user",
  "user": {
    "id": "291b10fd-bb83-4e51-9365-302f403234a800000000-0000-0000-0000-000000000000",
    "displayName": "Jorge de la Cruz",
    "name": "jorge.delacruz@jorgedelacruz.es",

The result would have to be something like this, we will hit the Try it out button as always, we will have to receive a 200 to know that everything has gone well:

If we wanted to check that everything has been added in a satisfactory way, very quickly we go to the GET of AutidItems, and check what we have:

We see that everything has gone well and we have our users, this would help us to check which users and groups we are auditing.


How to Enable the notification of the Audited items

Now that we have one or more users and groups enabled for the audit, it is time to set up email notification. My recommendation is that we select a Distribution List that will go to those responsible for backup, security, etc. Since there is no personal data in the emails sent, only who does what, and when.

This configuration is done through RESTful API too, we will go now to AuditEmailSettings, and we will see three operations, we will select PUT:

In the configuration we will have to enter the following .json, which obviously you will have to fill in with your data, the password is then saved in encrypted form:

"enableNotification": true,
"smtpServer": "smtp.office365.com",
"port": 587,
"useAuthentication": true,
"userPassword": "MIPASSWORD",
"useSSL": true,
"from": "veeam@MIDOMINIO.COM",
"to": "veeam@MIDOMINIO.COM",
"subject": "VBO Audit - %StartTime% — %OrganizationName% - %DisplayName% - %Action% - %InitiatedByUserName%

Again, to check that everything has gone well, apart from the code 200 that we have to see, we can go to the TSG and check what we have:

We already have everything ready. What is left for us? Open the Veeam Explorers and start playing.


A Practical example of Audit being sent in Real-Time

As I say, no matter if we open the Explorer from the server, or from a Tenant, or from another PC, any element that we open, restore, or export, the relevant security email will be sent so that everything is audited, for example, I have opened an Exchange Explorer, and in a user where the audit is enabled I have opened an email to browse it:

I immediately received this message on my security account where I am auditing who does what and when:

Now I have decided to export an email to my computer as .msg:

I have immediately received this message in my security account where I am auditing who does what and when, and in this case where I have exported the item:

I leave you another example, this time of a restoration of OneDrive for Business:

This is very, very powerful, and will surely give us a lot of play in the near future. I hope you find it useful, thank you very much for reading.


Userlevel 7
Badge +3

Excellent Jorge !! great content….:ok_hand_tone3:

Userlevel 3

Thanks for sharing Jorge - This is going to be very useful for many customers meet those audit requirements

Userlevel 3
Badge +1

Another great article mate! Good work.

Userlevel 7
Badge +4

Very in-depth @jorge.delacruz, tempted to say “as always”. Love the effort you put into these posts.

Userlevel 7
Badge +4

Awesome @jorge.delacruz ! Thank you for this article !

Userlevel 7
Badge +6

Great article, thanks for sharing @jorge.delacruz 

Userlevel 6
Badge +1

Thank you for this article 

Userlevel 6
Badge +1

I have developed a habit of bookmarking your posts. Great stuff man!

Userlevel 7
Badge +2

Hello guys,

So, just the other day I’ve presented a topic around this very topic, I am attaching it to the post, in case somebody found useful to see somebody explaining it step by step, a diagram, the why, etc.

Thanks so much!

Is it possible to enable auditing on all users and groups without needed to manually add the ID, displayName, and name for each user/group? Something like a wildcard json entry or something?

Also is there a way to ensure new users/groups get automatically added to OrganizationAudit > AuditItems POST?

Thank you!