Maintain control of your Microsoft 365 data
Post Reply
albertwt
Veteran
Posts: 948
Liked: 53 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

Does the Veeam Backup for Microsoft 365 uses Global Administrator as the service account?

Post by albertwt »

Hi Team,

Does the Veeam Backup for Microsoft 365 leverage the Managed Identity or still use the Global Administrator account to authenticate as the service account to backup and restore M365 objects?

I've searched through:

https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=70
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=70

But cannot find anything mentioning using managed identity either.

If not required, what will be the minimum roles or privileges required?

Thank you in advance.
--
/* Veeam software enthusiast user & supporter ! */
Mildur
Product Manager
Posts: 10170
Liked: 2715 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Does the Veeam Backup for Microsoft 365 uses Global Administrator as the service account?

Post by Mildur » 1 person likes this post

Hi Albert

Required permissions are documented in the user guide:
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=70

Global administrator permission is only required once to automatically register and configure the backup application.
After you have configured the tenant in the backup console, you can change the username to any account available in your tenant. No credentials (password) will be stored. No special permissions required.
But there is one exception when you protect public folder backups. Make sure this user has a mailbox and has owner permission on all public folders (it's documented in the user guide as well)

Image

Best,
Fabian
Product Management Analyst @ Veeam Software
albertwt
Veteran
Posts: 948
Liked: 53 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

Re: Does the Veeam Backup for Microsoft 365 uses Global Administrator as the service account?

Post by albertwt »

Wow, that's great, so is this service account using some sort of secrets that must or can be rotated regularly?
--
/* Veeam software enthusiast user & supporter ! */
Mildur
Product Manager
Posts: 10170
Liked: 2715 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Does the Veeam Backup for Microsoft 365 uses Global Administrator as the service account?

Post by Mildur » 1 person likes this post

We do not store any secrets or credentials of this user account in the configuration database.

Veeam Backup for Microsoft 365 uses certificates to authenticate against the app. You can find them in the Local Machine - Certificate store of your VB365 backup server.
Our M365 organization wizard will create a certificate which is valid for 10 years. If you like, you can replace this certificate on a shorter interval.

Best,
Fabian
Product Management Analyst @ Veeam Software
albertwt
Veteran
Posts: 948
Liked: 53 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

Re: Does the Veeam Backup for Microsoft 365 uses Global Administrator as the service account?

Post by albertwt »

Thank you, Fabian !
--
/* Veeam software enthusiast user & supporter ! */
xariskk24
Novice
Posts: 3
Liked: never
Joined: Feb 11, 2025 6:13 pm
Full Name: harris kelaidis
Contact:

Re: Does the Veeam Backup for Microsoft 365 uses Global Administrator as the service account?

Post by xariskk24 »

Hello I need also your help about 365 backup. We need to take backup of an amount of emails account that are under a very big tenant. The owner of the tenant not want to give to us the global admin because after that we will see all the email tree and not only the specific amount of mails we need to have access. How can we accomplish this?
mjr.epicfail
Veeam Legend
Posts: 435
Liked: 122 times
Joined: Apr 22, 2022 12:14 pm
Full Name: Danny de Heer
Contact:

Re: Does the Veeam Backup for Microsoft 365 uses Global Administrator as the service account?

Post by mjr.epicfail »

You can onboard the tenant, let the owner authenticate the devicecode, and then onboard the rest.
However, there is no way, as far as I know, that will prevent you to backup all (other) mail accounts and just browse the mail in the backup.

Backup administrators are kind of the same as janitors in a building, they have access to everything even when there is no one around.
There has to be some level of trust there, and a NDA :)
VMCE / Veeam Legend 2*
iivel
Lurker
Posts: 2
Liked: never
Joined: Aug 10, 2021 1:27 pm
Full Name: Michael Buchser
Location: Switzerland
Contact:

Re: Does the Veeam Backup for Microsoft 365 uses Global Administrator as the service account?

Post by iivel »

For creating Organizations/Backup jobs, global admin is only once used to register the app.
However, for restoring of Teams and Sharepoint Objects, you will still need accounts with appropriate rights. Certificate based (app-) authentication is only supported for restoring Exchange objects.
Post Reply

Who is online

Users browsing this forum: No registered users and 17 guests