Question

Restore permissions for Veeam Backup for Office 365

  • 26 April 2023
  • 7 comments
  • 349 views

Userlevel 7
Badge +8

To back up data from M365 one can pre-create an app within AzureAD and connect via a certificate from VBM. Then no additional login to M365 is necessary:

Step 5. Register or Select Azure AD Application - Veeam Backup for Microsoft 365 Guide

Keep in mind that you do not need to select this check box if you have granted the required permissions to the specified Azure AD application beforehand and already registered its certificate in Azure Active Directory. If the Grant this application required permissions and register its certificate in Azure AD check box is not selected, Veeam Backup for Microsoft 365 skips the Log in to Microsoft 365 step and proceeds to Finish Working With Wizard.

But once you want to restore back to M365 things change: From within Exchange Explorer, you are prompted to do the device flow login with e.g. an Exchange admin to restore mail objects.

Though while deploying the AzureAD-App an impersonation user was already specified.

 

Is there a way to pre-define rights to the AzureAD app to circumvent recurring device flow logins? 

E.g. using the restore portal from within VBM, it can be done without additional login for each restore. 

 

Thanks,

Michael


7 comments

Userlevel 7
Badge +7

@Rin 

Userlevel 7
Badge +8

No one any idea?

How do you handle M365 recoveries in an MSP scenario?

Thanks,

Michael

Userlevel 7
Badge +7

Maybe @MicoolPaul ? 😁

Userlevel 7
Badge +20

Not an MSP anymore but can look into this.

 

To clarify, when restoring to Exchange you’re finding that if you use Veeam Explorer for Microsoft Exchange then you’re prompted to authenticate, but when you’re using the Restore Portal it doesn’t request this?

 

Just making sure I understand what you want out of this 😊

Userlevel 7
Badge +8

Thanks, @MicoolPaul for having a look.

Request was primarily to have the VBM recovery process without the need of admin credentials.

The regular process with VEXE needs DeviceCode-Flow login with every restore.

Restore portal installation needs DeviceCode-Flow login at least once while hooking it up to the Azure application used.

To my knowledge there is no way around this. So not to have any DeviceCode-Flow login. 

Question was to proof me wrong… 😉

 

For the backup itself it is well possible without any login if the application is prepared beforehand.

Userlevel 7
Badge +20

Haven’t forgotten about this one! The lab has had a fresh install of VB365 (I was on v5 and wanted to test some creation steps so a new lab has been built for this!).
Currently backing up my M365 tenant, and then I’ll get to playing with this tomorrow hopefully 😊 take it you’ve not had any joy through other channels getting an answer @Michael Melter?

Userlevel 7
Badge +8

Thanks, @MicoolPaul for keeping an eye on it. Please let me know about your findings.

Meanwhile I had several talks to other VBM experts. Besides the restore portal there seems to be no way around the following: The user operating the restore process has to have admin rights within the M365 tenant for the specific workload to be recovered. On top he has to have the ApplicationImpersonation role to recover mailbox data. 

I first thought it would be sufficient that the user selected in the VBM definition for the M365 tenant to have those roles. But as the Veeam explorers drive the recoveries, this is a different story. The tenant user is only leveraged for backups to my understanding.

Using the restore portal though circumvents all that. The only thing is that e.g. group mailboxes can technically not be recovered with the restore portal. So we have limited functionality here.

All said has to be kept in mind when designed an MSP solution for M365 backups.

Comment