So if you have a MFA (multi-factor authentication) service account created for VBO365 in order to add and back up the organization, what account do you use to perform restores? When trying to perform a restore to an Exchange mailbox and using the MFA service account for permission, it goes through the MFA process and then after entering in the token key sent to the assign phone number for that MFA service account, we get the following error:
AADSTS500113: No reply address is registered for the application
In research it appears to be related to the request URI and that the default user type setting specified in the following Microsoft link should probably be set to a "public client" (which is a scary thing for Microsoft to call it LOL):
https://docs.microsoft.com/en-us/azure/ ... gistration
So all exchange needs (from a high level) is an account with global admin and the impersonation role in order to restore to any email account in the organization, right? So what does Veeam recommend as a best practice for doing restores: should we be using the MFA service account with the app registration default user type set to "public client" or should the VBO365 admins be using their own global admin accounts with impersonation role granted in order to perform restores?
Just looking for guidance....Thanks!
-
- Influencer
- Posts: 13
- Liked: never
- Joined: Oct 30, 2018 7:20 pm
- Full Name: Curt Fortenbery
- Location: Atlanta, GA
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: Best Practices for Restore: what account to use
Hi Curt,
Yes, using an account with app registration is indeed what we prefer. This account or app ID does not have to be the same as the one that is used by the service itself. You can create multiple different ones, you just need to give the ID enough rights.
Yes, using an account with app registration is indeed what we prefer. This account or app ID does not have to be the same as the one that is used by the service itself. You can create multiple different ones, you just need to give the ID enough rights.
Who is online
Users browsing this forum: No registered users and 8 guests