Self Service Portal - Multiple Tenants on Same Server

[jpolansky]

I am using the Self Service portal on a separate Windows server from my VBO server as shown here: https://helpcenter.veeam.com/archive/vb ... arate.html

I want to put multiple tenants on the same Self Service Portal server so they can all sign in and see their own backups, and I was able to accomplish this by creating the Enterprise Application for my tenant, then sharing it with each tenant by having them run New-AzureADServicePrincipal -AppId "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" then granting admin permissions to the application in Entra.

I fear this may be an unsupported configuration and will cause me issues if I ever need to engage Veeam support. Does anyone have experience with doing this? Are there any potential downsides?

[edh]

Hi Jonathan,

We use a script like this:

https://vitanium.com/wp-content/uploads ... Portal.txt

You will execute as admin, set execution policy bypass and it will setup the application id to your tenant.

Just change on top the appID.

Each tenant will need to run this script in their side just one time.

[MarkBoothmaa]

We have exactly this setup for our customers. We have the portal on a seperate server and deploy the restore portal app to each tenant we backup.

We had had no issues with tenants accessing the restore portal.

[jpolansky]

Thank you for the replies. Do you find that you have any trouble getting support from Veeam with this configuration?

[Mildur]

It’s a fully supported scenario and best practice to have the Restore Portal on a separate machine. You don’t want to put the main backup server directly accessible from the internet.

Don’t forget to enable the “Enable restore operator authentication only” option on the dedicated Restore Portal machine to limit the available API endpoints to “restore only functionality”.

VCSP best practice guide: https://bp.veeam.com/sp/SaaS/S_Build/ap ... #sp-restop

Best,
Fabian

[LukasK]

Hi,

we use this design with a restore portal on a separate machine too as a service provider.
Some of our clients had problems with the script.

We sometimes use the "manual" way via:

Install-Module Microsoft.Graph
Connect-AzureAD (a bit different from the CMDlet used in the script)
New-AzureADServicePrincipal -AppID XYZ

After that you can assign the admin permissions in the Entra ID Admin Center
BR
Lukas

[jpolansky]

Thanks everyone for the replies. Sharing this in case it is helpful for anyone else who stumbles on this.

Instead of using the provided script to set up additional tenants, I set up a proxy that redirects traffic to this URL:

Code: Select all

https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=xxxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxxx&redirect_uri=https://restore365.domain.com&scope=User.Read%20api://xxxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxxx/access_as_user

Replace the Redirect URI and Application IDs.

This automatically configures the Enterprise application and prompts the user to accept the permissions, then redirects them back to the Self-Service Portal where they can log in.