Self-restore portal
Veeam Backup for Microsoft 365 provides users with the ability to explore and restore data from backups by themselves or delegate this task to somebody else in their organization. In these scenarios, Veeam Explorers are not needed to explore and restore backed-up data. Instead, users use Restore Portal — a web-based solution performing all operations in a web browser window. You can configure the Restore Portal settings and assign restore operator role to users or groups to allow the performance of self-service restore. Restore operators are allowed to explore and restore data from backups created by Veeam Backup for Microsoft 365 for specific organization object types: users, groups (group members only), sites, teams, or the entire Microsoft 365 organization.
This article contains a summary of actions that must be performed before starting to use Restore Portal, including installing Veeam Backup for Microsoft 365 REST API component and enabling the Veeam Backup for Microsoft 365 REST API Service.
For more information about Restore Portal, see Data Restore Using Restore Portal or watch this quick demo:
Suggested resources:
Job best practices
1. Consider Azure AD’s dynamic group membership or standard groups for making backup jobs dynamic as users are added or removed from the organization. Consider dynamic group backup jobs, especially with the expanded scalability features. Job splitting is highly recommended for larger environments, with a max of 2,000 users per job for optimal performance.
2. Consider splitting up jobs and their repositories by business units, service type (e.g., Exchange versus OneDrive), number of total users (no more than 2000 users per job recommended), etc. for ease of management, different retention requirements or future scaling plans. VB365 v8 introduces proxy pooling, enabling more efficient job management for environments with over 2,000 users. This feature enhances scalability and streamlines the processing of large backup jobs by distributing them across multiple proxies.
Common roadblocks
As you move through the deployment, you may be encountering some common roadblocks:
- Throttling
It’s not uncommon for those initial backups to take a bit of extra time and to encounter throttling that is set on the Microsoft 365 side. Once you’ve moved past that initial backup, expect to see daily backup times normalize. Meanwhile, consider requesting that Microsoft Support temporarily lift some of the applied throttling. Veeam recommends reviewing the updated guidance on temporary throttling relief. After initial sending, request Microsoft to lift some of the throttling to improve daily backup times. Continue reading in the Best Practice Guide.
- How to Temporarily Disable Exchange Web Services Throttling
- How to test Exchange Online service connection performance using Microsoft Support and Recovery Assistant
- Heavy WAN utilization
In some scenarios, especially in shared WAN cases, you may decide to apply a network bandwidth throttle to your proxy server(s) to reduce how much WAN it is allowed to consume as it pulls data from Microsoft 365. By default, 64 threads are used, but we recommend either 32 or below for the initial seeding. Once this is complete and stable operations are ensured, you can increase it back to 64. Proxy pooling can help alleviate heavy WAN usage by spreading jobs across multiple proxies. This reduces the load on any one server and optimizes data transfer performance.
- Configuring proxies
Our best practice guide notes no more than 20,000 objects per proxy with eight cores/32GB of RAM. However dependent on the hardware in use you could have more than 20,000 objects based on cores/RAM on the system. Check the full table of system requirements.
Need to utilize a web proxy to connect to internet services? There is both an internet proxy setting for the backup server, as well as an individual setting per backup proxy.
Continue reading on some other common issues here.
Authentication method
- Use modern app-only authentication which gives you the best performance, most security and is most future proof. This is strongly recommended for the best performance, security, and future-proofing.
- Microsoft announced to disable basic authentication beginning from Oct. 1, 2022. While this was already postponed a few times and might be again, we recommend not relying on basic auth anymore.
- Only enable Legacy Protocols with modern authentication or even go down to basic authentication if you really need one of the features which are today not available via Microsoft’s Graph API (and thus not with Modern App-Only authentication). Please see Veeam KB3146 for limitations that come with modern authentication.
Least privilege approach
- To improve security, use the least privilege approach and only assign the permissions which are required for the task at hand.
- When using the wizard to add a new organization and create the Azure AD application from within the wizard, this application will have all possible permissions Veeam Backup for Microsoft 365 might need. However, you might only need a portion of it, because you are only backing up Exchange, or you want to separate the restore permissions to another application.
- On the Veeam Help Center Required Azure AD Permissions you can find a detailed list of permissions and what they are used for. With this information you can build a least privilege model and only assign the required permissions to the Azure AD applications.
- The least privilege model can enhance your security. When adding a new organization, carefully assign only the necessary permissions to the Azure AD application. Refer to the Veeam Help Center for a detailed list of permissions needed for various backup tasks.
Proxy deployment scenarios
Veeam Backup for Microsoft 365 offers the following deployment scenarios for a backup proxy server:
- Domain backup proxy:
In this scenario, a machine used as a backup proxy server resides in the same domain as the Veeam Backup for Microsoft 365 server or in a trusted domain. To establish a connection with a domain backup proxy, Veeam Backup for Microsoft 365 uses credentials that you provide when you add a backup proxy server to the Veeam Backup for Microsoft 365 infrastructure.
- Workgroup backup proxy:
In this scenario, a machine used as a backup proxy server resides in a workgroup. To establish a connection with a workgroup backup proxy, Veeam Backup for Microsoft 365 uses an SSL certificate. For more information, see Security Settings.
Immutability
Veeam Backup for Microsoft 365 allows you to prohibit deletion of backup copies from object storage by making that data temporarily immutable. Immutability requires object storage and can be used only to store backup copies.
- Immutability with S3 and S3 compatible buckets require Object lock during the bucket creation.
- Immutability with Azure Blob requires Versioning on the Azure Blob storage account when creating the Azure container.
Pro tip: If you have extended your backup repository with object storage for which immutability was enabled, you cannot configure Veeam Backup for Microsoft 365 to store data in the backup repository forever. The Keep forever option becomes unavailable. Keep in mind that once configured, this setting cannot be changed for such backup repositories. Continue reading here.
Suggested resources:
Before you go! Ensure that Veeam Backup for Microsoft 365 is up to date with the latest patches and updates. This will ensure that you have access to the latest features and bug fixes.
Congratulations! You have completed your fundamentals onboarding for Veeam Backup for Microsoft 365.
If you need more help getting started, you can post your question in the comments section below or contact us at any time and someone from the Customer Success team will be there to assist you.