Automatically granting Exchange roles during setup

[pinkerton]

Dear all,

we are looking into deploying Veeam for Office 365 for our 600 mailboxes and are currently preparing a test setup. I now would like to add our Office 365 tenant to VBO and am currently setting up the service account and permissions in Office 365. We would like to use a service account with MFA so we are using modern authentication.

Regarding the SharePoint service account I understand that the only role needed is the SharePoint Administrator role. Regarding Exchange, we seem to need the roles ApplicationImpersonation, View-Only Configuration, View-Only Recipients, Mailbox Search, and Mail Recipients as described in the following Veeam article:

https://www.veeam.com/kb2969#AzureADApplication

I however currently don't understand the point of the Grant this account required roles and permissions checkbox during setup. The online user guide states the following:



So it actually seems that this checkbox only adds the ApplicationImpersonation role but not the other required ones for Exchange. So whats the point of the checkbox when you need to assign the other aforementioned permissions manually anyway? Or is it meant for service accounts with global admin permissions to also assign them the ApplicationImpersonation role (which maybe is not in included in the global admin role?!).

I also don't understand the sentence of the user guide:

The ApplicationImpersonation role can only be assigned to organizations that are not in the compressed state (i.e. to hydrated organizations)

What are compressed and hydrated organizations? I'm only aware of hybrid organizations.

Thanks
Michael

[Polina]

Hi Michael,

You guessed it right - the checkbox is provided for the convenience of those customers who prefer to use a highly-privileged Global Admin account and do not want to set any additional permissions manually.

"Dehydrated" state is the default state of an Office 365 tenant:

... because the tenant is currently in a compressed state. This is called dehydrated or tiny tenant mode. Think about the multitude of customers in Office 365 that have a basic tenant and do not need to make any customisations or configure a hybrid deployment. Those customers can run quite happily in the default dehydrated mode and parts of their configuration are compressed to save on space and resources. The dehydrated state is the default for a tenant.

(source)

Thanks!

[hyphen]

I'm not the OP but this is related to what I was looking for. Does the account we use to connect must be a Global Admin in Office 365? If not, which role is required? Does it need to have a license in Office 365? What is the best practice?

Thank you.

[tsmith_co]

It does not need to be a global admin. You can create an account and assign it the 4 Exchange online permissions listed above. (Also Sharepoint admin if backing up OneDrive and/or SharePoint Online).

The account does NOT need an o364 license.