Microsoft's position on your 365 data is the same as Salesforce's: they keep the service running, you keep the data safe. Deleted items come back from the recycle bin for 93 days if you are lucky. After that, they are gone. Retention policies are not backup, they were designed for compliance, not recovery. Veeam Backup for Microsoft 365 v8 is the current answer to this problem, and v8 is a significant architectural shift from v7. This article covers what changed in v8, how to deploy it, how to configure jobs for all four workloads, and how the Explorers work when you actually need to recover something.
What Microsoft Does Not Cover
Exchange Online retention policies keep deleted items in a recoverable state temporarily. SharePoint and OneDrive versioning helps with accidental overwrites if someone catches the problem fast enough. Teams messages deleted by a user are gone from the Teams UI even if technically present in Exchange for a period. None of this is backup in any meaningful sense. There is no point-in-time restore, no cross-tenant recovery, no granular item search across a historical timeline. Those gaps are exactly what Veeam fills.
What Changed in v8
v8 is not a minor update. The architecture changed at the database and proxy layers in ways that affect how you deploy and scale the product. If you are running v7, you need to understand what you are upgrading into before touching the upgrade button.
SQLite to PostgreSQL [NEW]
v7 and earlier used SQLite for the configuration and per-proxy cache databases. v8 replaces all of that with a centralized PostgreSQL instance. This is not cosmetic. PostgreSQL unlocks multi-proxy shared cache, which is a prerequisite for proxy pools. It also improves performance and reliability at scale. In previous versions the persistent repository cache lived on each proxy server individually. In v8 it lives in PostgreSQL, which means multiple proxies can read and write the same cache for the same object storage repository. PostgreSQL 15.8 or higher is required.
Proxy Pools [NEW]
In v7, multiple proxy servers operated independently. In v8, you can group proxies into a proxy pool, which functions as a single logical unit for backup, backup copy, and restore operations. The pool distributes jobs across all available proxies, balances load, and spreads API requests across the pool to stay under Microsoft throttling thresholds. Object storage is the only repository type supported for proxy pool members. An additional benefit: you can take individual proxies in a pool into maintenance mode without disrupting scheduled jobs.
Linux Proxy Support [NEW]
v8 added Linux proxy support - RHEL and Ubuntu. v8.2 extended this to RHEL 9.6 and added Windows Server 2025 support. Linux proxies reduce TCO for large scale-out deployments and can be standalone or pool members.
NATS Server [NEW]
The NATS server is a new infrastructure component that handles communication between proxy servers in a pool. It uses JetStream technology for message queuing and streaming between backup infrastructure components. You install NATS as part of the VBO365 deployment - on the same host for simple deployments, or on a dedicated one for scale-out. One NATS instance per VBO365 deployment. Sharing a NATS server across multiple VBO365 deployments is not supported.
Immutability [NEW]
v8 delivers full immutability on primary object storage repositories. Supported platforms: Amazon S3 (governance and compliance modes), Azure Blob Storage, IBM Cloud Object Storage, and Wasabi. Both primary backups and backup copies can be made immutable, closing the air gap for ransomware scenarios where the backup environment itself is targeted.
MFA and RBAC [NEW]
v8 added MFA to the console and Explorers, plus proper RBAC with a Users and Groups section for defining who has backup administrator access. For organizations that need to scope access per MSP tenant or per business unit, this is a meaningful upgrade over v7.
Teams Private and Shared Channels [v8 GA]
v8 shipped with full coverage for private and shared Teams channels, not just standard channels. Earlier versions covered standard channels only. If your organization uses private channels for sensitive projects or shared channels for cross-org collaboration, this was the gap v8 closed at GA.
Architecture
v8 has more moving parts than v7. Map your deployment before installing anything.
| Component | Role |
| VBO365 Server | Management and control plane. Hosts the console, job scheduling, global settings. Defaults to also hosting the local backup proxy until you add remote proxies. |
| PostgreSQL | Centralized config database, org cache databases, and repository persistent caches. Must accept remote connections from all proxy servers. Dedicate a host for 3+ proxies or 60,000+ objects. |
| NATS Server | Proxy-to-proxy messaging. Required for proxy pools. Can be on the VBO365 server for simple deployments or separated for scale-out. |
| Backup Proxy Servers | Do the actual read/write work. Windows or Linux. Can be grouped into pools. Object storage repositories only for pool members. |
| Backup Repositories | Where the data lives. Object storage (S3, Azure Blob, IBM, Wasabi) preferred. Local (Jet-based) supported but not compatible with proxy pools. Retention is set at the repository level, not the job level. |
|
| Do Not Co-Install with VBR on a Shared PostgreSQL Instance If VBR v12 or later is on the same server using its local PostgreSQL instance, installing VBO365 v8 will fail. VBR configures PostgreSQL for local connections only. VBO365 requires remote connections for its proxies. They are incompatible by default. Use a separate PostgreSQL instance for VBO365, or follow KB4638 to manually reconfigure the shared instance before installation. |
System Requirements
| Component | Requirement |
| VBO365 Server OS | Windows Server (64-bit). Windows Server 2025 supported from v8.2. |
| Backup Proxy OS | Windows Server (domain or workgroup) or Linux (RHEL, Ubuntu). RHEL 9.6 supported from v8.2. |
| PostgreSQL | Version 15.8 or higher. Must listen for remote connections from all proxy servers. pg_trgm and plpgsql extensions required. UTF-8 encoding required. Dedicated SSD, 128 GB minimum, 7500 IOPS minimum for production. |
| NATS Server | Required for proxy pools. Recommend Linux host. One instance per VBO365 deployment. |
| Microsoft 365 | Modern app-only authentication required. Legacy protocols are deprecated and no longer supported. |
| Object Storage | Required for proxy pool repositories. Amazon S3, Azure Blob, IBM Cloud, Wasabi, or any S3-compatible storage supporting AWS Signature v4. Immutability requires Object Lock on the bucket. |
Deployment and Initial Setup
Download the installer from the Veeam downloads page. Run it on your designated VBO365 server. The installer wizard handles component selection, license file input, and PostgreSQL and NATS connection prompts.
1. Pre-install: prepare PostgreSQL. Install a new PostgreSQL 15.8+ instance or prepare an existing one. Veeam can install PostgreSQL 15.14 locally during setup. For existing instances, ensure remote connections are accepted, required extensions are installed, and UTF-8 encoding is set. Configure PgBouncer for environments exceeding 1,000 repositories or with high proxy counts. See KB4758.
2. Run the VBO365 installer. Select the Veeam Backup for Microsoft 365 component. Accept the license agreement, provide your license file, and let the system configuration check run.
3. Configure PostgreSQL connection. Point the installer at your PostgreSQL instance.
4. Configure NATS. For simple single-proxy deployments, NATS on the local machine is fine. For proxy pools, deploy NATS on a dedicated host first and point the installer at it.
5. Complete the installer. Open the Veeam Backup for Microsoft 365 console. Ready to add your Microsoft 365 organization.
Adding a Microsoft 365 Organization
1. In the console, click Add Organization. Select Microsoft 365.
2. Select Modern authentication (app-only). Legacy authentication is deprecated. Create or register a Microsoft Entra application with the required permissions. Graph API scopes differ per workload - Exchange, SharePoint/OneDrive, and Teams each have their own requirements.
3. Provide the application ID, tenant ID, and certificate or client secret. Authorize the connection. Veeam verifies and enumerates the organization.
Adding Proxies and Repositories
The default local proxy is sufficient to start. Add remote proxies as you scale, then add repositories.
1. In the console, navigate to Backup Infrastructure. Under Backup Proxies, click Add. Provide the server hostname, OS type, and credentials. VBO365 deploys the proxy service.
2. To create a proxy pool, select multiple proxy servers, right-click, and choose Add to Pool. Jobs targeting the pool distribute across all member proxies automatically.
3. Under Backup Repositories, click Add. Select object storage (preferred) or local storage. For object storage, provide bucket details, access credentials, and optionally enable immutability. Set retention at the repository level.
|
| Retention Is Set at the Repository, Not the Job This catches people coming from other backup products. In VBO365, retention is not a per-job setting. It is configured on the repository. All jobs writing to a repository share its retention policy. If you need different retention for different user groups, use separate repositories. |
Creating Backup Jobs
Jobs define what to protect and where to write it. One job can cover an entire organization or a granular selection of users, groups, sites, or teams.
1. In the Organizations view, right-click the organization and select Add to Backup Job, or click Backup in the ribbon.
2. Scope: Choose entire organization, or specific users, groups, sites, or teams. You can mix selections.
3. Objects: For each user or group in scope, select which data types to include: Mail, Archive Mailbox, OneDrive, Calendar, Contacts. For sites: SharePoint data. For Teams: standard, private, and shared channels.
4. Proxy and repository: Select the proxy or proxy pool and the target repository.
5. Schedule: Set the backup frequency. Minimum RPO supported is 5 minutes. For most environments, hourly is practical. You can configure separate RPOs for different object types.
6. Finish and enable the job. The first run performs a full enumeration of the protected scope. Subsequent runs are incremental.
The Veeam Explorers: Restore Workflows
The Explorers are where you spend your time during actual recovery events. Each workload has a dedicated Explorer. You access them from the same entry point: right-click a backup job or organization in the console and select Explore. You can explore the latest state, a specific point-in-time state, or retrieved data from archive storage.
| Ex | Veeam Explorer for Microsoft Exchange |
Handles granular recovery of Exchange Online data. The left pane shows the mailbox tree: Inbox, Sent, Calendar, Contacts, Tasks, Notes, Journal. You navigate it like Outlook. Browse, search, preview, and restore at any level from an individual email to an entire mailbox.
What you can restore:
-
Individual emails with attachments, including deleted items and all versions
-
Calendar items, contacts, tasks, notes, journal entries
-
Entire mailbox folders or entire mailboxes
-
Multiple mailboxes in parallel in a single restore session
-
Archive mailboxes
Restore targets:
Original Exchange Online mailbox, alternate mailbox, on-premises Exchange server, or export as .msg files locally. The 1-Click Restore option restores to original location with both changed and missing items, all folders, and unread status applied to restored items.
eDiscovery:
Advanced search across the backup with filters on sender, recipient, date range, subject, body content, and attachment presence. Results can be exported as .msg files for legal review without restoring to production.
| SP | Veeam Explorer for Microsoft SharePoint |
Provides granular recovery for SharePoint Online sites, libraries, lists, and documents. The left pane shows the SharePoint hierarchy. You drill down to the item you need.
What you can restore:
-
Individual documents and files, including all versioned copies
-
Document libraries and lists
-
SharePoint sites and subsites
-
List items with metadata and permissions preserved
Restore targets:
Original SharePoint Online location, alternate site, on-premises SharePoint, or save locally. Advanced search supports over 90 different property filters. Lists and items can be exported as XML for import into another SharePoint environment.
Note on site pages:
Veeam Explorer for SharePoint does not support restore of items not stored in the SharePoint content database - specifically, pages based on default templates. Pages containing only text and images stored in Wiki Content can be restored. Other page types cannot.
| OD | Veeam Explorer for Microsoft OneDrive for Business |
Handles recovery for individual user OneDrive accounts. The pane structure mirrors OneDrive folder layout for the selected user. Select a restore point from the timeline and browse the user files and folders as they existed at that point.
What you can restore:
-
Individual files, including all versions
-
Folders, including OneNote notebooks
-
Entire OneDrive account for a user
-
Changed or missing items only - useful for partial corruption or ransomware scenarios
Restore targets:
Original OneDrive, alternate user OneDrive, alternate folder, or save locally. Multiple files and folders can be saved as a ZIP. For ransomware scenarios, a full account restore from a clean pre-event point-in-time backup is supported.
| Te | Veeam Explorer for Microsoft Teams |
Teams data is distributed: channel files live in SharePoint, personal chat files live in OneDrive, and conversation history is stored in Exchange. The Teams Explorer abstracts that complexity and presents a unified view per team.
What you can restore:
-
Teams channel files (stored in SharePoint)
-
Posts and conversations (backed up from Exchange)
-
Tabs and configuration
-
Private channels
-
Shared channels
-
Entire teams
Critical limitation on messages:
Microsoft Teams messages cannot be restored directly back to Teams. The official Veeam documentation is explicit on this: there is no API that allows injecting message history back into the Teams channel timeline. This is a platform limitation, not a Veeam limitation. Files restore fine. Structure restores fine. For conversation history your options are: save posts as .msg files for compliance or legal review, or browse them in Veeam Explorer for Microsoft Exchange if stored in group mailboxes. Set stakeholder expectations on this before the first Teams restore request lands on your desk.
Restore Portal
The Restore Portal is a separate web-based interface that allows non-admin users to perform self-service recovery of their own data. A user logs in, selects their mailbox or OneDrive or SharePoint site, picks a restore point, and recovers what they need without involving IT. Restore operators can be scoped to specific users or groups, so you can delegate recovery for a department without granting full backup administrator access.
Gotchas and Common Failure Modes
-
PostgreSQL shared with VBR fails the installer. The most common v8 first-deployment problem. VBR configures PostgreSQL for local connections only. VBO365 requires remote connections. They cannot share the same instance without manual PostgreSQL reconfiguration. See KB4638.
-
Proxy upgrades after VBO365 server upgrade. After upgrading the VBO365 server you must upgrade all proxy servers. Proxies on an older version than the server will have connection issues or fail to process jobs.
-
PostgreSQL default config is not production-ready. The default PostgreSQL configuration installed by the installer is sized for minimum resource consumption. For any serious environment, adjust the PostgreSQL config per the best practices guide and use a dedicated SSD-backed host at scale.
-
One NATS server per VBO365 deployment. You cannot share a NATS server across multiple VBO365 deployments. Each needs its own.
-
Proxy pools require object storage repositories. Jet-based (local) repositories are not supported for proxy pool members.
-
Teams messages cannot be restored back to Teams - full stop. The official docs are explicit. Files restore fine. Message history does not go back into the channel timeline. Export as .msg files. Set expectations before someone promises it to a business owner.
-
Archive mailbox failures after upgrading. A known issue in certain v8 builds affects archive mailbox processing with a "Mailbox is not fully configured" error. Check the KB notes for your specific build and update proxies accordingly.
-
Legacy authentication is gone. v8 removed support for basic authentication and legacy protocols. Ensure your Entra app registration uses modern app-only authentication before upgrading from v7.
-
Upgrade from v7 migrates all databases to PostgreSQL. The migration includes all SQLite config and persistent cache databases from local and remote proxies. A 50 GB configuration database takes up to 15 minutes. Plan your maintenance window based on database size, not just installer runtime.
anystackarchitect.com | All technical claims verified against Veeam Backup for Microsoft 365 v8/v8.3 Help Center documentation and release notes.
|
|
|
|
| |
|
|
|
|
|
|
|
| |
|
| |
|
| |
|
|
