Veeam M365 - Modern App Only Authentication best practices ?


Userlevel 7
Badge +7

Hello guys,

Following the Disable Basic Auth in M365 since Oct. 1, 2022, I m looking for the best practices to implement the Modern App Only Authentication.

I ll not explain why it’s important to protect M365 datas @Iams3le already did it very weel right here: 

To improve security, I would use the least privilege approach and only assign the permissions which are required for the task at hand. But I m a bit confuse with the best way to do it.

Regards the required permissions in the help center (https://helpcenter.veeam.com/docs/vbo365/guide/vbo_required_permissions.html?ver=60), we need Veeam Backup Account Permissions and Azure AD application permissions.

Is the Veeam Backup Account Permissions mandatory with the Modern App Only Authentication? 
In my understanding is only needed when we need to use the legacy mode.

For the creation of the Azure AD app, we need to provide a user to login to M365. What kind of account do you use as this step? A dedicated service account or an admin user account?

The requirements for the user account are the followoing:

  • Global Administrator

It’s a privilege role so I would like to limit this attribution.

if I create a custom Azure AD application do my account still need to have this permission?

Thanks !


5 comments

Userlevel 7
Badge +21

Is the Veeam Backup Account Permissions mandatory with the Modern App Only Authentication? 
In my understanding is only needed when we need to use the legacy mode.

Correct, it’s for Modern App + Legacy Protocols, or Basic Auth

For the creation of the Azure AD app, we need to provide a user to login to M365. What kind of account do you use as this step? A dedicated service account or an admin user account?

The requirements for the user account are the followoing:

  • Global Administrator

It’s a privilege role so I would like to limit this attribution.

You need this to create the application IIRC, then you can strip the application permisisons back to just what is required for backup & restore.

if I create a custom Azure AD application do my account still need to have this permission?

This is a “it depends” question, more related to when you select your Azure AD Application, you can ask Veeam to grant the required permissions, IIRC when you specify that you don’t want Veeam to grant permissions, you’re not asked to sign in as a Global Admin (doesn’t need to be global admin to your application account but any GA). If you pre-configure the permissions, you should be fine without this.

Userlevel 7
Badge +21

I’ll check in my lab tomorrow 😊

Userlevel 7
Badge +7

Thanks @MicoolPaul for your answer.

Yes in my comprehension, Veeam needs to have an account with global admin role to create the app with all the appropriate rights.

In the case where the application is created manually it's seem that is not a requirement but I m not sure.

But in any case an account needs admin rights, to restore with the explorers.(Exchange,Sharepoint,Teams administrator roles)

Unfortunatelly I dont have an M365 account to test this on my lab :(
 

Userlevel 7
Badge +7

I’ll check in my lab tomorrow 😊

Hello @MicoolPaul hope you are fine :)

did you have time to test in your lab? 

Userlevel 7
Badge +2

I’ll check in my lab tomorrow 😊

Hi @MicoolPaul ,
if the global administrator role is not required as the service account for VBO365, what will be the minimum required permission to perform the backup and the restore?

Thank you,

Comment