Maintain control of your Microsoft 365 data
Post Reply
vnewbie99
Influencer
Posts: 10
Liked: 2 times
Joined: Jan 09, 2021 2:05 am
Contact:

Error setting up an orgnaization in Veeam for O365

Post by vnewbie99 »

Hi,

I am new to Veeam and this is my first setup. I am trying to set up Veeam for O365 for SharePoint Online backups. When I create a new organization, I select only SharePoint Online (no Exchange) and use "Modern Authentication and Legacy Protocols" because our tenant does not have Security Defaults enabled. Per Veeam requirement, the service account I use in the new Organization setup has MFA enabled and app password set (my understanding is in order to use app password, MFA must be enabled for the service account). I proceed with the Veeam's Add Organization wizard to verify connection. It connects to Microsoft Graph and SharePoint fine but the 3rd action "Connect to PowerShell" failed. The error is "Connect to PowerShell: Connecting to remote sever outlook.office365.com failed with the following error message : Access is denied." I have three questions:

1. Why does it try to connect to Outlook.office365.com? I don't need to back up Exchange Online at this moment. Is it required? If so, is there a way to tell what permissions are needed for the service account to connect?

2. In https://docs.microsoft.com/en-us/azure/ ... -passwords, it mentions administrative actions via PowerShell won't work with app passwords. Is Veeam trying to perform administrative action? The wizard ask for service account username and app password, not a regular user password.

"After Azure AD Multi-Factor Authentication is enabled on a user's account, app passwords can be used with most non-browser clients like Outlook and Microsoft Skype for Business. However, administrative actions can't be performed by using app passwords through non-browser applications, such as Windows PowerShell. The actions can't be performed even when the user has an administrative account.

To run PowerShell scripts, create a service account with a strong password and don't enable the account for two-step verification."

3. Does Veeam provide support for community edition setup which I am using to try it out?

Any help is very much appreciated. Thank you.
Polina
Veeam Software
Posts: 3758
Liked: 921 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Error setting up an orgnaization in Veeam for O365

Post by Polina »

Hi!

Veeam doesn't require to enable MFA for a service account, it depends more on your O365 tenant setup and the backup functionality you need. Here you can see the difference in backup options that comes with each of the auth methods.

If your organization's policy requires all users (including a backup service account) to be enabled for MFA, and at the same time it allows for using legacy protocols, your choice in VBO would be modern auth with legacy protocols. An in such a case, you'll use an app password for this account instead of a regular password.

However, if in your tenant it's fine to use basic auth for users (no strict MFA policies), you can simply go with basic auth (and use a regular password) in VBO as well.

And the third possible option in VBO is to perform all backup and restore operations by using an Azure AD application only. This is a modern auth type that works in any O365 tenant.

Next, to your questions:
Even if you back up SharePoint only, VBO needs access to users and groups in a tenant which is done through EWS and PowerShell. Make sure your service account has the View-only Configuration and View-Only Recipients roles as described here. Also, check that the LegacyAuthProtocolsEnabled setting is enabled in your tenant.

And, yes, even with Community Edition you can open a ticket and support will be provided a best-effort basis.

Thanks!
Post Reply

Who is online

Users browsing this forum: JamesD-HBG, jasonede, Polina and 8 guests