Permission levels [feature request]

[ScottyP89]

Hi,

I logged a case with Veeam support (case 03344127) and have been asked to make a post here as a feature request.

I work for an MSP supplying Backup for Office365 to a number of clients. One of clients is interested in the product but wants to manage backups themselves, I've installed an SSL certificate and enabled the remote console access, but during my testing I can still see all of my organizations and I'd like to restrict this so that specific users can only access certain organizations.

Going forward with permissions, it would also be useful to only allow restores to be performed by specific users. For example for this is internal use, some of our SharePoint sites contain confidential information that only technical managers should be able to access or restore data from, but not the technical guys on the helpdesk.

Many thanks.

[nielsengelen]

Via which account(s) are you performing the login? It is possible to only see the tenants info when connecting via one of the veeam explorers instead of seeing everything.

[ScottyP89]

I'm logging into the console with a local user account that is on the server where we have the software installed. I set the server name and credentials then click Connect.

I've just installed the Veeam Exchange Explorer but when adding a Veeam Backup for Office 365 mailbox store, I can still see all of the organizations.

[nielsengelen]

This is normal behavior. If you leverage the account used for adding the specific organization, you will only see that specific organization. A server admin has full rights/view on it.

If you add the organization with user@domain.com, it will only see the domain.com organization and nothing else.

[ScottyP89]

OK, I'm not sure I fully understand the process that I need to go through.

The server that I have the software installed on is standalone, not part of a domain. My account on there is a local administrator (which explains why I can see all organizations), however if I create an account (so that I can login to the Veeam console) then I can still see all of the organizations. I just tried creating a local account on the server with the same username as the Office 365 service account I created to perform the backups but it's too long (as it's a full email address). When trying to authenticate to the Veeam console with the Office 365 credentials it doesn't work (get an error: The server has rejected the client credentials).

Could you please outline the process to being able to login and only view a single organization?

[nielsengelen]

Scotty, any account you will make on the VBO server will have access to all organizations. Logging in with the O365 account locally won't work. As you said you are a MSP looking to provide mail backup as a service.

The way it is designed is the following:
- You as a SP hosts the backups
- A tenant uses VBR to connect via VEX/VESP/VEO to your organization and perform the restores

This is explained in our userguide and here are 2 blog posts which can help you:
Configuring Service Provider Self Service Recovery with Veeam Backup for Microsoft Office 365
Enhanced Self Service Restore in Backup for Office 365 v2.0

[ScottyP89]

Thanks for the information, that looks like exactly what I want, but the client doesn't have any servers, all of the workstations are joined to AzureAD, all mail and data is in Office365. We support smaller businesses so this is fairly common throughout the customers we support, being able to create users that can perform restores for a client would be very beneficial, if only for the data protection side of it.

[nielsengelen]

Another option is to host a web based portal which leverages the RESTful API and allows the tenant to login with his O365 login against your VBO365 installation. An example of this can be found on GitHub.

[ScottyP89]

That looks like a possibility, I'll have a test with that, thanks!

[Chrigp]

Hello All

We need advice on setting up Veeam Backup for MS Office 365 as a service provider.

I currently have Veeam Backup and Replication setup in Azure UK South Datacentre.
This is connected to Veeam Availability where customers backup machines using agents or connect their VBR to cloud our repositories.

We are now in the process of creating Veeam Backup for MS Office 365 in Azure UK West Datacentre. I have found that you have to install VBR on the same server as VBO365, and then we going to need another Veeam Availability site to manage this.

From my understanding we just needed VBO365 and clients could connect to their tenant downloading the free explorers for Exchange/SharePoint.
As this is not the case I am re thinking the design. I need to keep costs of resource and licenses in mind as its in Azure. Also are clients able to connect to their backup without having VBR?

Does anybody have advice on how you are achieving this?

[nielsengelen]

Hi Christian,

You are looking to offer Mail as a Service which allows you to do this.

You will need to install VBR and VBO on the same machine and afterward your customers can leverage their explorers to connect (they will need to install VBR free edition tho). A blog post on this can be found here.

You can also offer a web portal via the RESTful API which connects to your VBO instance and serves the tenant's content once they login allowing them to perform item restores. An example of this can be found here. In this case you don't need to install VBR however this also means customers can't use the Veeam Explorers directly.

It's also possible to mix both of these (install VBR+VBO) and next to it offer a VBO web portal for those who don't want to install VBR free edition.

[DGrinev]

Hi Christian,

Your topic has been merged to the similar discussion. Thanks!