License counts when using modern app-only authentication

[JaySt]

I was pointed to https://www.veeam.com/kb3146 in a discussion about the authentication method to use. I wanted to go for "app-only" mode.

the KB mentioned a limitation when using this mode:
The type property for shared and resource/equipment mailboxes cannot be resolved. Such mailboxes will be available for backup with a general ‘User’ type.

would this mean that i need to buy Veeam licenses for shared mailboxes as well now when using that method??

[Mike Resseler]

No it doesn't. However, if those shared mailboxes use a license then we will use one also. So make sure those shared mailboxes are unlicensed. In App-only mode we will query MFST to see if it is licensed or not, while before we could see it based on the type. In app-only mode, MSFT delivers us the type user for mailboxes and for shared ones where previously there was a difference. So we need to query it differently in app-mode

Makes sense?

[JaySt]

ah that's good to know!
So, is it actually limitation then if the type property is queried differently but retrieved after all?
i'm working with a service provider using VBO v5b backing up alot of customers and they refuse to support app-only auth due to limitations, one of which ( according to them), is the the license overusage as a result of not being able to differentiate between user and shared/resource mailboxes. They only charge for user mailboxes. They also would have problems providing the certificate used to upload to the Azure application created.
any suggestions for responding to them?

[Polina]

>> So, is it actually limitation then if the type property is queried differently but retrieved after all?
Correct. And as Mike said, it doesn't affect VBO licensing. If a user (regular or shared) is not licensed in Office 365, it won't consume a VBO license as well.

>> They also would have problems providing the certificate used to upload to the Azure application created.
There's an option to create an app automatically with VBO and use a self-signed certificate. Won't it work for them?

[JaySt]

When the app is deployed automatically during the onboard process, the customer would need to provide admin credentials to the service provider to do so. If a customer could prepare the app himself (either by running the wizard with the veeam software or do it completely manual), all that would be needed is the certificate from the serviceprovider to be uploaded to the application by the customer for the service provider to successfully connect to the app. So i'm looking for the leas amount of credential-exchange during onboarding.

[tsmith_co]

Actually, with app-only there is no need to provide credentials to the service provider. App-only uses device code flow authentication. So, the provider can setup the org, provide the customer a code. The customer logs in with their credentials on their browser and input that code, and the veeam deployment is authorized now to setup the app registration in azure.

[JaySt]

Yes, that could be an option.