Correct, it’s for Modern App + Legacy Protocols, or Basic Auth

For the creation of the Azure AD app, we need to provide a user to login to M365. What kind of account do you use as this step? A dedicated service account or an admin user account?

The requirements for the user account are the followoing:

• Global Administrator

It’s a privilege role so I would like to limit this attribution.

You need this to create the application IIRC, then you can strip the application permisisons back to just what is required for backup & restore.

if I create a custom Azure AD application do my account still need to have this permission?

This is a “it depends” question, more related to when you select your Azure AD Application, you can ask Veeam to grant the required permissions, IIRC when you specify that you don’t want Veeam to grant permissions, you’re not asked to sign in as a Global Admin (doesn’t need to be global admin to your application account but any GA). If you pre-configure the permissions, you should be fine without this.

Thanks @MicoolPaul for your answer.

Yes in my comprehension, Veeam needs to have an account with global admin role to create the app with all the appropriate rights.

In the case where the application is created manually it's seem that is not a requirement but I m not sure.

But in any case an account needs admin rights, to restore with the explorers.(Exchange,Sharepoint,Teams administrator roles)

Unfortunatelly I dont have an M365 account to test this on my lab :(
 

I’ll check in my lab tomorrow

Hello @MicoolPaul hope you are fine :)

did you have time to test in your lab? 

Hi @MicoolPaul ,
if the global administrator role is not required as the service account for VBO365, what will be the minimum required permission to perform the backup and the restore?

Thank you,