• EN

Veeam M365 - Modern App Only Authentication best practices ?

Stabz
Userlevel 7
Badge +7

Hello guys,

Following the Disable Basic Auth in M365 since Oct. 1, 2022, I m looking for the best practices to implement the Modern App Only Authentication.

I ll not explain why it’s important to protect M365 datas @Iams3le already did it very weel right here: 

To improve security, I would use the least privilege approach and only assign the permissions which are required for the task at hand. But I m a bit confuse with the best way to do it.

Regards the required permissions in the help center (https://helpcenter.veeam.com/docs/vbo365/guide/vbo_required_permissions.html?ver=60), we need Veeam Backup Account Permissions and Azure AD application permissions.

Is the Veeam Backup Account Permissions mandatory with the Modern App Only Authentication? 
In my understanding is only needed when we need to use the legacy mode.

For the creation of the Azure AD app, we need to provide a user to login to M365. What kind of account do you use as this step? A dedicated service account or an admin user account?

The requirements for the user account are the followoing:

  • Global Administrator

It’s a privilege role so I would like to limit this attribution.

if I create a custom Azure AD application do my account still need to have this permission?

Thanks !

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/

4 comments

MicoolPaul
Userlevel 7
Badge +20

Is the Veeam Backup Account Permissions mandatory with the Modern App Only Authentication? 
In my understanding is only needed when we need to use the legacy mode.

Correct, it’s for Modern App + Legacy Protocols, or Basic Auth

For the creation of the Azure AD app, we need to provide a user to login to M365. What kind of account do you use as this step? A dedicated service account or an admin user account?

The requirements for the user account are the followoing:

  • Global Administrator

It’s a privilege role so I would like to limit this attribution.

You need this to create the application IIRC, then you can strip the application permisisons back to just what is required for backup & restore.

if I create a custom Azure AD application do my account still need to have this permission?

This is a “it depends” question, more related to when you select your Azure AD Application, you can ask Veeam to grant the required permissions, IIRC when you specify that you don’t want Veeam to grant permissions, you’re not asked to sign in as a Global Admin (doesn’t need to be global admin to your application account but any GA). If you pre-configure the permissions, you should be fine without this.

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
Stabz
Userlevel 7
Badge +7

Thanks @MicoolPaul for your answer.

Yes in my comprehension, Veeam needs to have an account with global admin role to create the app with all the appropriate rights.

In the case where the application is created manually it's seem that is not a requirement but I m not sure.

But in any case an account needs admin rights, to restore with the explorers.(Exchange,Sharepoint,Teams administrator roles)

Unfortunatelly I dont have an M365 account to test this on my lab :(
 

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/
MicoolPaul
Userlevel 7
Badge +20

I’ll check in my lab tomorrow 😊

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
Stabz
Userlevel 7
Badge +7

I’ll check in my lab tomorrow 😊

Hello @MicoolPaul hope you are fine :)

did you have time to test in your lab? 

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/

Comment


Terms & Conditions