Veeam Backup for Microsoft 365 v6a - Teams Export API Previewed


Userlevel 7
Badge +6

Today I want to share a sneak peek at the next release of Veeam Backup for Microsoft 365, v6a. Like traditional minor/interim releases, this release will mainly include bug fixes. However, there’s an interesting feature being released that I’ll be sharing some details on.

 

Goodbye Exchange, Hello Teams Export API

To understand what’s changing, we need to understand what is going, and why this change is necessary. Currently, Veeam are protecting Teams channel ‘chat’ data via Exchange Online. Notice I say Teams channel, currently Veeam doesn’t protect any ‘Direct Messages’, either 1:1 or group chats, so chat in this context refers to posts and comments within a Teams channel.

 

How does Veeam currently process my Teams data?

To achieve the protection of this Teams data, Veeam reads a hidden folder within Exchange Online, called ‘TeamsMessagesData’. This is true whether you use Basic or Modern Authentication.

If you weren’t already aware, Microsoft are completing removing Basic Authentication Support from October 2022, for more information on this, please read this great summary post from my friend and former Veeam Legend, Fabian. There’s also evidence that Microsoft have begun their trials of Basic Authentication being disabled on individual mailboxes, as noted by another friend & Veeam Legend, Max.

 

What’s wrong with the current approach? Why do we need Teams Graph APIs?

Microsoft aren’t happy with the current approach, and have created a troubleshooting document stating this isn’t supported. Within this document it is clearly detailed that the only supported method for accessing Teams data is via the Teams Graph APIs. Forcing Veeam, and all other backup vendors for that matter, into the use of Teams Graph APIs.

Microsoft intend to restrict access to the ‘TeamsMessagesData’ hidden folder completely in the near future. Furthermore, I’ve heard reports that some mailboxes within organisations are already showing issues connecting to this folder, as Microsoft test this ahead of a full roll-out. I’ve been unable to find any public-facing documentation detailing Microsoft’s timelines and aggressiveness for this change, so we need to be prepared.

 

This all sounds like back-end changes that shouldn’t affect me, right?

It might sound that way, but that’s not true in this instance. There are multiple risks that we need to consider as part of adopting this approach, which we’ll go through below.

 

Microsoft’s Teams Export API is a Protected API

What is a protected API might be your first question. The answer to this question is, a protected API is an API that requires additional validation by Microsoft, prior to approval. This is typically due to the sensitive data that could be accessed via misuse of the API. Due to the manual approval, it is not possible to utilise any form of automation to gain immediate access to the APIs.

This manual approval needs to be factored into any Veeam Backup for Microsoft 365 deployments that you’re going to undertake, as it is not an immediate process. Please see the below as copied from Microsoft’s documentation:

To request access to these protected APIs, complete the following request form. We usually review access requests every Wednesday and deploy approvals every Friday or Monday, except during major holiday weeks in the U.S. Submissions during those weeks will be processed the following non-holiday week. To verify whether your request has been approved, test your application access on the next applicable Monday. If we have additional questions about the request, we will contact the email specified in the form.

Microsoft Docs – 20/06/2022

Yep, that’s right, no confirmation of your approval, a once-a-week review process, if you’ve made a mistake, add a week’s delay to the approval process. <sarcasm> It’s only the sole API you can backup your data via, no biggie, right? </sarcasm>

This protected API access is per registered application within your Microsoft 365 tenant, so if you’re planning on protecting your Teams data via this API, be sure to register your application and request API access as soon as possible to prevent delays to your projects.

As a final comment on this, you’ll likely have noticed there’s no commitment to which cycle your API request will be processed within, I can only expect as backup vendors migrate to this API, there will be spikes in requests in line with vendor patches that incorporate this feature, which does bring a very real risk of additional delays if Microsoft don’t have the resources to cope with such spikes in utilisation.

Once you’ve received your approval, you’ll be required to add the following API permissions to your application:

  • Chat.Read.All
  • ChannelMessage.Read.All
  • User.Read.All

[Update 23/06/2022] Microsoft’s manual application process has highlighted some confusion around the process above. So to clarify, you can apply these API permissions at any point to your application, however if you attempt to use a protected API call within your application, without completing the Microsoft form & being approved first, your API call will fail. When applying for the protected API access, Microsoft don’t ask which protected APIs you need access to, instead appearing to grant access to all protected APIs. [End of Update]

If you haven’t gained access to the protected APIs, when you attempt to process your Teams data, you’ll be greeted with the following error:

Failed to process team: <teamname> 
Invoked API requires Protected API access in application—only context when not using Resource Specific Consent.
Visit https://docs.microsoft.com/en—us/graph/teams—protected—apis for more details..
The remote server returned an error: (403) Forbidden.

 

Microsoft’s Teams Export API is a Metered API, still in its Infancy

In addition to the potential delays from Microsoft’s manual approval process, Microsoft have also taken the approach that this API will be metered, aka, chargeable.

This does leave me with mixed feelings, as one of Microsoft’s justifications is that this approach will enable better funding of Microsoft Graph API endpoints to prevent throttling on the service, due to its pay-as-you-consume nature, and I can respect this. However, I do have some issues with the Metered API at present which I do wish would change.

 

Deduplication/Data Efficiency Not Included

Within the current release of Microsoft’s Teams Export API, duplicate messages are not truncated into a single API request & response.

[Update 21/06/2022] I’ve had clarification from Veeam that the previous information I was supplied wasn’t 100% accurate. I’ve left it struck through for completeness of information. For example, if I had a Teams channel that had 1,000 members, and I posted a message within the channel, this message will be returned 1,000 times, once per member of the channel. On a metered API, this becomes expensive very quickly. Then if someone has replied? That’s another 1,000 requests serviced and billed. Within direct messages, which aren’t going to be supported by v6a, and instead via an unspecified future release, Microsoft’s API will be charging via the following formula:

(#NumberOfMessages * #NumberOfMessageRecipients) * $0.00075

Whereas for Teams channel posts and replies, these are stored within a Microsoft 365 group and so they aren’t subject to this issue at present, instead the formula to calculate message cost is simple:

#NumberOfMessages * $0.00075

[End of Update]

To Microsoft’s credit, they are aware of this as a feature request, and they hope to deliver this towards the beginning of 2023, however until the feature is GA, that’s just an estimate. We’d then also need to see if their implementation requires additional work from Veeam to implement, in which case we’d be awaiting a future update.

 

Will Teams chat data still be backed up incrementally?

One of the most alarming thoughts that springs to mind is, can we still process Teams data incrementally? And you’ll be pleased to hear you still can.

 

How much does this Teams Export API cost?

Before we get into the financials, it’s good to know the cost models that Microsoft are offering with this API. Microsoft have three license types, “model=A”, “model=B” and evaluation.

Evaluation licensing is limited to 500 messages per month, per app, and will be quickly consumed by nearly all organisations. “model=A” and “model=B” licensing cost the same, but with a key difference, seeded capacity. Before we get into this, know that Veeam is required to use “model=B” licensing, which doesn’t benefit from seeded capacity, but it’s still worth highlighting this, as I believe Microsoft should reconsider what is included in “model=A” licensing.

 

What is a seeded capacity?

For organisations that have licensed their users with appropriate E5 licenses, if they have an application that is licensed as “model=A”, they can get a certain volume of free API calls, per user, per month, per application. These API calls are pooled collectively for the organisation, and would make a huge difference for saving money.

 

Why can’t Veeam leverage seeded capacities?

Microsoft are restricting “model=A” access to security & compliance access only, even though an argument could surely be made that backup products are ensuring data compliance, but Microsoft appear to still need convincing. Whilst only customers leveraging E5 licenses would benefit from the seeded capacity, this would help those that do with their billing costs.

 

Microsoft API Price List

Scenario Model Parameter Licensing Requirement Change Notifications API Seeded Capacity Export API Seeded Capacity Consumption Price (Per Message)
Security & Compliance Model = A Microsoft 365 E5 eligible license 800 messages, per user, per month, per application (Pooled) 1,600 messages, per user, per month, per application (Pooled) $0.00075
Non-Security & Compliance Model = B None None None $0.00075
Evaluation N/A N/A 500 messages, per month, per app 500 messages, per month, per app N/A

Microsoft’s licensing is due to change at any point, so please keep this in mind as you read this blog post, and whilst I’ve collated this table for your benefit, the most up-to-date information can be found at Microsoft’s documentation page for licensing, here.

 

How does the bill get paid?

The application is registered within Azure Active Directory, which, as part of your Azure tenant, means it can be associated with an Azure subscription, this is the billing mechanism that will be utilised by Microsoft to charge for API access.

 

Any estimates for average Teams API costs?

This will unfortunately vary dramatically by user and organisation, I’ve heard some daily users of Teams have generated enough requests that it has equated the cost of an M365 E3 or E5 license, it is certainly possible that this will become incredibly expensive.

 

What else do I need to know about the Veeam Backup for Microsoft 365 v6a upgrade?

There are a few more key insights that I want to share with you regarding this upgrade. Most importantly, when you upgrade to v6a, you will no longer be able to leverage the old backup mechanism for Teams, Veeam will only offer the Teams Export Graph API option, until you’re ready to use this, you need to stay on v6.

Veeam are unable to query whether access to the protected APIs have been granted, but to prevent accidental upgrades and data protection gaps, Veeam are providing call to action prompts during the Veeam upgrade process, and will be automatically disabling the processing of Teams chat data post-upgrade, with you having to opt-in to the processing of this data again, an example of how this will look within a job configuration is below:

It’s worth noting the link within the screenshot is the same link I have provided above for Microsoft licensing/pricing information.

Until this release is generally available, this can’t be guaranteed, but Veeam are intending to allow support for downgrading from v6a back to v6, should you need to back out of your upgrade process if you completed this prematurely.

It is strongly recommended to perform a data audit prior to utilising Microsoft Teams Export API to ensure you’ve scoped which Teams actually require protection, to help minimize this cost increase.

 

This all sounds like doom & gloom, any positives to take from this?

Sure! Whilst I disagree on the pricing, especially with regards to lack of data efficiency and the omission of any free/limited utilisation options available. Especially as Teams is only available with a paid license already, the Teams Export Graph API does bring the ability to process Teams direct messages in the future. Veeam don’t have any support for this yet, but Veeam intend to extend chat support as the API matures, to better protect your environments. This will potentially include 1:1 conversations, group chats, and meeting chats.

The Teams Export Graph API also provides the benefit of not relying on Exchange Online to read what is essentially, Microsoft’s backup copy of the Teams data, instead going to the Teams Cosmos DB-based message store. The utilisation of this API will start to make it easier to get data from different locations, providing better Teams protection overall.

It’s also worth noting that this impacts Teams ‘chat’ information only, the processing of channels, tabs, files & membership data, is all covered within existing APIs, and doesn’t require metered access, so this will remain protected by default upon upgrading. You might be wondering how we configure this, Veeam have enabled new processing options specifically for Teams, as per the screenshot below.

Finally, if you have no intention of protecting your Teams chat data, you don’t need to worry about upgrading to v6a, just install and Veeam will no longer process your Teams chat data. Please remember that you are likely currently backing up this chat data within any existing Teams backup jobs, so you will suddenly have a data protection gap.

 

What do I need to do now?

If you’re planning on protecting your Teams data, now or in the future, you should focus on submitting your application to Microsoft ASAP, to have the access approved prior to the upgrade. The link is available here.

You should conduct an audit as to which Teams require data protection, this will help reduce cost increases as a result of this API.

If you’re unhappy with this change, direct your feedback to Microsoft via any and all channels you have, this could set a dangerous precedent for Microsoft’s approach to Graph API access in the future. So, if you’re opposed to the path that Microsoft is taking, be sure to make your voice heard.

Read and bookmark the Veeam KB article, as Veeam will keep this KB updated as v6a approaches generally available.

 

How long do I have?

Veeam hope to have v6a available by August, though it will of course be ready, when its ready. This doesn’t mean you need to upgrade on day one, however Microsoft will be concentrating efforts to shut down the legacy access to this Teams data via Exchange from October 2022, though this could be subject to change. As a result, you should plan to be on v6a by October 2022.


9 comments

Userlevel 7
Badge +6

That was interesting the webinar yesterday. Let's see how this plays out with our clients and everything else.

Userlevel 7
Badge +6

😎 does Microsoft have that much information on this topic like in this post?

Userlevel 7
Badge +7

Very important information here, thanks @MicoolPaul for your comprehensive post!

Userlevel 7
Badge +7

BTW: what MS writes about their approval process sounds like a one-man business 😛

Userlevel 7
Badge +6

Couldn’t agree more @vNote42 😂

 

Also, important update, I’ve just had to amend some details as I’ve had some clarification from Veeam RE the API calls required for channel posts & replies, suddenly it’s not as drastic!

Userlevel 7
Badge +5

Thank you very much for sharing @MicoolPaul

Userlevel 7
Badge +6

Update merged:

 

[Update 23/06/2022] Microsoft’s manual application process has highlighted some confusion around the process above. So to clarify, you can apply these API permissions at any point to your application, however if you attempt to use a protected API call within your application, without completing the Microsoft form & being approved first, your API call will fail. When applying for the protected API access, Microsoft don't ask which protected APIs you need access to, instead appearing to grant access to all Microsoft Teams protected APIs, even if your application only required a subset.[End of Update]

Userlevel 7
Badge +6

Thank you for this very detailed post Michael! I think it answers every single question for now and is a must read for every VB365 administrator. 👍

Also thank you for referring to my post 😊

Userlevel 7
Badge +6

Thank you @regnor for making great content that I can link to! And of course thank you for the kind words!

Comment