Clarification around "Modern App-Only Authentication"

[Johnny L]

Greetings,

This is, hopefully, a quick and simple question.

Before my time all customer-tenants got a dedicated account with exactly the necessary permissions to be used for impersonation in order to do backups.

After building a new backup-enviroment we configured all tenants with Modern Authentication only ("Allow for using legacy authentication protocols" is unchecked). It has been my understanding that this removes the need for a Microsoft 365-account to do the impersonation, this is further supported in the user guide "Adding Organizations with Modern App-Only Authentication": https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50

However, while troubleshooting an unrelated issue with support the other day I was told that we still use an account for impersonation. In our case this is a global administrator account (which was used to add the Azure Applications). This again, is backed by the GUI stating "Specify a user account to use for impersonation in Exchange Online Web Services".

Can you please provide some clarification to this misunderstanding?

[Polina]

Hi Johnny,

The impersonation account is indeed still needed even when using an app for all backup operations. The account you specify is not used for processing any data, but instead it provides the application rights to access users' mailboxes.

As per Microsoft documentation:

Use impersonation when you have a service application that needs to access multiple mailboxes and "act as" the mailbox owner.

[HangTen]

Can you let me know what the minimum requirements for that impersonation account would be and/or if there is any way to work around it? I have a customer who has moved to modern authentication only and is asking why the old account needs to stay active.

[Polina]

Hi Hin,

There're no specific requirements at all. Technically, it could be any user account of your choice. The app you use for backup will get an access token to impersonate using this account.