Updating certificate of applications on veeam backup for microsoft 365 organizations through API

[lance-armah]

I want to add a new organization to my veeam backup server with the veeam backup for Microsoft 365 APIs.

I have a custom certificate that I want to use for the application created for the customer's organization. How do I add this certificate? Initially, what I wanted to do was create an application with the Applications API https://helpcenter.veeam.com/docs/vbm36 ... plications so that I can supply a custom SSL certificate to the application. But in the API request to add an organization, it does not have a field to specify an application id to use. The field I can confirm is available is (configureApplication) in the API schema which does not allow the specification of an application id to be used.

Is there a way I can add this custom application with the certificate to the organization or a way to directly use the create organization API and specify a custom SSL certificate?

[Mildur]

Hi Lance Armah

Welcome to the RnD forum.

Have you tried the Add Organization Endpoint and using an existing application id?
https://helpcenter.veeam.com/docs/vbm36 ... zation_Add

Each Service (exchangeOnlineSettings, sharePointOnlineSettings) has the requested properties (app id, cert):

Code: Select all

"useCustomVeeamAADApplication": true,
"applicationId": "00000000-0000-0000-0000-000000000000",
"applicationCertificate": "string",
"applicationCertificatePassword": "pa$$word",
"applicationCertificateThumbprint": "string"

You can also use the endpoint to create a new application with your own certificate:
https://helpcenter.veeam.com/docs/vbm36 ... &t=request

Best,
Fabian

[lance-armah]

Hi, Fabian, thanks for the reply.

Yes I have seen those APIs. I just was not sure which ones to use or supply the application certificates to. So in this case, if I were to go by this, then I have to create an application with the create application endpoint, I can use the credentials to supply the details to the exchangeOnlineSettings and sharePointOnlineSettings right?

Just a few questions:
1. Will I be able to backup an entire organization's resources including sites, users... because I was worried supplying it to only the exchangeOnlineSettings and sharepointOnlineSettings might not cover all Microsoft 365 resources and cause me to miss some of them.

2. What about the permissions, when I create an azure application with the Application endpoint, will it also configure the permissions?
If not, I see that the create organization endpoint has a field, "configureApplication", will it help me to add the permissions? It also has a question mark because it basically auto assigns the certificate and permissions so I am assuming when I enable it, it will overwrite the certificate.

3. In the exchangeOnlineSettings and sharePointOnlineSettings, the "applicationCertificateThumbprint": "string" seems to be required but when creating an application, this is not a field I supply so I am wondering if it's not required or there's a way I can get it.

[Mildur]

Hi Lance

1. Will I be able to backup an entire organization's resources including sites, users... because I was worried supplying it to only the exchangeOnlineSettings and sharepointOnlineSettings might not cover all Microsoft 365 resources and cause me to miss some of them.

Have you tried the endpoint for a test tenant? Did you see any issues?
- Exchange is convered by exchangeOnlineSettings.
- SPO, OneDrive and Teams Files are covered by sharepointOnlineSettings.
- Teams is covered by isTeamsOnline and isTeamsChatsOnline.

2. What about the permissions, when I create an azure application with the Application endpoint, will it also configure the permissions?

When you use "configureApplication", all necessary permissions will be configured for you.

3. In the exchangeOnlineSettings and sharePointOnlineSettings, the "applicationCertificateThumbprint": "string" seems to be required but when creating an application, this is not a field I supply so I am wondering if it's not required or there's a way I can get it.

You have provide a certificate if you let the software create the application for you. This certificate will be used for authentication against the Azure application. The certificate can be created by default windows PowerShell commands on the VB365 server: post450150.html#p450150

Best,
Fabian

[lance-armah]

Hi Fabian,

Thanks for your reply. Ok, so I can directly configure the resources I want to be backed up with the options you mentioned. I understand that.

The problem we are trying to solve is to onboard a user on a veeam server through APIs.

We have outlined the steps required but particularly it's the first step where we are having the questions, thus creating the organization on the veeam backup server. When we went through the process manually, we decided to create and use a Let'senctrypt SSL certificate for the application so we were able to supply that ssl certificate from the veeam console.
We faced other challenges like having to manually add our veeam restore portal URL to the Azure application created for our organization on the Azure portal as a Redirect URI (Platform configuration for SPA)

So now, what we want to do is to automate this process through APIs, we hit a bump with adding the certificate, which you mentioned we can supply to the exchangeOnline and sharepointSettings. But still, on the certificate, we don't have that "applicationCertificateThumbprint" value because after creating the certificate, we only have the certificate or the key which in this case we'd have to make a base64 string to supply it to the API but we lack that "applicationCertificateThumbprint" value.

And also, is there a way we can update the redirect URI for the Azure application from the APIs? I can see that when creating an application, it's not an option that can be supplied. The only other option we see at the moment is to request manual access into the organization application to add the Redirect URI.
We want to give them access to the restore portal and in the documentation and tests, we realized that we needed to add the redirect URI (the restore portal URL) to the Azure application else it did not work for authenticating the organization users.

We do face another issue, which is that the endpoint for creating applications requires that we specify an organization id so this means that we have to create the organization first before we can create an application.
We are wondering how that will work in terms of supplying the certificate since when the organization is created, it requires an application and an application requires the organization to have been created. So in such a case, if we create an organization first, will we have to delete the previous application and create a new one with the certificate or do newly created applications replace the old one?

There's an option in the create organization endpoint ("newApplicationName"). It's supposed to specify a new application with a specified name.
If we use this option and we supply the certificates, will that work in terms of creating a new application with the supplied ssl certificates so we don't have to create a new application as mentioned in the previous point?

Thanks.

[Mildur]

Hi Lance

I need to try this steps with the certificate in my lab myself and give you an update. But I'm out of office the next few days.

And also, is there a way we can update the redirect URI for the Azure application from the APIs? I can see that when creating an application, it's not an option that can be supplied. The only other option we see at the moment is to request manual access into the organization application to add the Redirect URI.

For the restore Portal application, not every M365 organization requires it's own application for the restore portal.
Are you using a hosted service for all those tenants? Or do you deploy VB365 server per organizations?
For a single VB365 server which serves multiple M365 tenants, only one application in the service provider M365 tenant is required. In the customer M365 tenants, you need to approve the usage of the Service Provider Tenant application.
You can get more information about the configuration here:
https://helpcenter.veeam.com/docs/vbo36 ... le-tenants

We do face another issue, which is that the endpoint for creating applications requires that we specify an organization id so this means that we have to create the organization first before we can create an application.

Which API endpoint would that be? The one I have posted doesn't require a VB365 organization ID:
https://helpcenter.veeam.com/docs/vbm36 ... zation_Add

So in such a case, if we create an organization first, will we have to delete the previous application and create a new one with the certificate or do newly created applications replace the old one?

A already created organization does have a VB365 organization ID. You can use the Edit Organization Endpoint to update it's configuration or replace the application. Removing the entire organization is not required.
https://helpcenter.veeam.com/docs/vbm36 ... ion_Update

Best,
Fabian