modern certificate-based authentication also for Sharepoint/OneDrive and Teams Objects?

[iivel]

Currently, it's only possible to use the certificate-based authentication for Restoreing Exchange Objects.
However, Restoring Sharepoint/Onedrive and Teams Objects still require user Login with Sharepoint.Administrator or Team.Adminstrator Roles assigned.

Is integration of certificate-based authentication for all restore jobs planned for any future release?
This would reduce complexity for Helpdesk staff to restore MS365 objects.

According to post517683.html?hilit=modern%20certific ... n.#p517683 impersonation roles are deprecated by MS in 2025 anyway.

Kind Regards,
Michael

[Mildur]

Hi Michael,

Thank you for your request. Unfortunately, there is no information we can share today when it may be available.

This would reduce complexity for Helpdesk staff to restore MS365 objects.

Have you considered using our Restore Portal? You can assign a Restore Operator role to your helpdesk team, allowing them to use the Restore Portal to restore objects without needing the SharePoint Administrator or Team Administrator role assignments.

Currently, it's also possible to perform these actions using REST APIs or PowerShell. If you have developed your own web portal, you can utilize the REST API to restore such items with certificate-based authentication.

Best,
Fabian

[iivel]

Sorry for coming back after such a long time - but finally, I found the time to set up the Restore Portal and configure Restore Operators roles.
I followed the guide "Configuring Restore Portal for Multiple Tenants", but this includes setting up "Backup as a Service with Veeam Backup for Microsoft 365 usage scenario", which is not an option, because no local repositories are supported.

So I just set up everything else according to the guide.
Unfortunately, if I interprete it correctly, in this scenario one must configure one Restore Operator Role per Organization, and can only add users or groups from that specific organisation to that role (and not server-local users like in Enterprise Administrator).
So that's not really working for Helpdesk staff to restore MS365 objects from multiple organizations with there personal login, unless they have an account in every organizations tenant - is this correct?
Or is there any way to create Restore Operator roles for multiple organizations or add local users (or users from other organizations) to this role?

[Polina]

Hi Michael,

1) Your understanding is correct - a restore operator must belong to the M365 tenant which data they want to restore.
2) You mentioned a scenario where "no local repositories are supported" - could you please elaborate on it? Because, AFAIR, the Restore Portal doesn't have such a limitation.

Thanks!

[iivel]

Hi Polina

Thanky you for the confirmation!
The scenario where "no local repositories are supported" is regarding "SP Veeam Cloud Connect Infrastructure" with cloud connect which might probably support restore-operators to act across tenants, but - as far a smy understandign goes - only supports cloud ressources for repositiries.

[Polina]

In Cloud Connect scenarios, there're no limitations by the repository type; service provider tenants can connect and restore their data from Jet-based repositories as well as from object storage.