Does the Veeam Backup for Microsoft 365 uses Global Administrator as the service account?

[albertwt]

Hi Team,

Does the Veeam Backup for Microsoft 365 leverage the Managed Identity or still use the Global Administrator account to authenticate as the service account to backup and restore M365 objects?

I've searched through:

https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=70
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=70

But cannot find anything mentioning using managed identity either.

If not required, what will be the minimum roles or privileges required?

Thank you in advance.

[Mildur]

Hi Albert

Required permissions are documented in the user guide:
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=70

Global administrator permission is only required once to automatically register and configure the backup application.
After you have configured the tenant in the backup console, you can change the username to any account available in your tenant. No credentials (password) will be stored. No special permissions required.
But there is one exception when you protect public folder backups. Make sure this user has a mailbox and has owner permission on all public folders (it's documented in the user guide as well)



Best,
Fabian

[albertwt]

Wow, that's great, so is this service account using some sort of secrets that must or can be rotated regularly?

[Mildur]

We do not store any secrets or credentials of this user account in the configuration database.

Veeam Backup for Microsoft 365 uses certificates to authenticate against the app. You can find them in the Local Machine - Certificate store of your VB365 backup server.
Our M365 organization wizard will create a certificate which is valid for 10 years. If you like, you can replace this certificate on a shorter interval.

Best,
Fabian

[albertwt]

Thank you, Fabian !

[xariskk24]

Hello I need also your help about 365 backup. We need to take backup of an amount of emails account that are under a very big tenant. The owner of the tenant not want to give to us the global admin because after that we will see all the email tree and not only the specific amount of mails we need to have access. How can we accomplish this?

[mjr.epicfail]

You can onboard the tenant, let the owner authenticate the devicecode, and then onboard the rest.
However, there is no way, as far as I know, that will prevent you to backup all (other) mail accounts and just browse the mail in the backup.

Backup administrators are kind of the same as janitors in a building, they have access to everything even when there is no one around.
There has to be some level of trust there, and a NDA

[iivel]

For creating Organizations/Backup jobs, global admin is only once used to register the app.
However, for restoring of Teams and Sharepoint Objects, you will still need accounts with appropriate rights. Certificate based (app-) authentication is only supported for restoring Exchange objects.