Modern Auth user account

[sandsturm]

When adding M365 tenant with Modern auth only, a username needs to be speficied (for impersonation in Exchange Online Web Services). The authentication for this account can be configured only as username/password, MFA is not possible. I really do not understand why this account is required besides the app registration. We have policies and an account without some sort of strong authentication like MFA is not allowed in our company.
Is there a way to renounce this account? And what are the implications, if I don't have this account?

thx
sandsturm

[Mildur]

Hi Sandsturm

Can you tell me where you see a password field for this user?
I can only see the mailaddress field. And this can be any mailbox from your organization.
Providing a password is not required for this user.

[sandsturm]

Hi Mildur

I mean exactly the account you mentioned on your screenshot. Is this really just a mailbox? No permissions for this user required? A few steps after this, a login to Microsoft 365 is required (with copy of the code), where I have to sign in to Azure with an account. I used the same account there, and for this account I need to have "global admin" permissions, otherwise adding the organisation fails. Question: Is this an account, which is used only once for the initial configuration? If so, I can use my own admin account, but if this is some sort of service account which is used everytime a connection is made, I need to have a "service account" for that with appropriate permissions. Sorry for asking this, but I was not able to find out the reason for this account in Veeam documentation.

thx
sandsturm

[Mildur]

Hi sandsturm

Is this really just a mailbox? No permissions for this user required?

It works in my lab with a test account which has no permission at all. I must say, I‘m not entirely sure what the user does. Let me get that info for you. I believe veeam uses the mailbox to access the other mailboxes through the application permissions.
I will come back with an answer and correct my assumption here if I was wrong.

A few steps after this, a login to Microsoft 365 is required (with copy of the code), where I have to sign in to Azure with an account.

This account is required to create the Azure App registration with the required permission. It is only required in the configuration step. And eventually when you update VB365 and new permissions are required.
Backup Jobs don‘t use this account.

Thanks
Fabian

[Mildur]

Hi sandsturm

I got confirmation. The provided username will be used for the impersonation with the application permissions and for detecting the tenant ID. The Azure App doesn't know about the tenant ID. So we use the provided username to detect the correct tenant ID.

Thanks
Fabian

[sandsturm]

Hi

I understand, thats fine for the backup processes, but if I start a restore I can open the explorer (doesn't matter if sharepoint or Teams explorer), then I choose a file to restore and after that I have to choose the authentication method, which is "Modern authentication" in my case and then the wizard displays again the site where I have to login to Microsoft 365 with the provided code and an account. Is there a way to do this without the need for a user authentication, just with the Azure App registration?

thx
sandsturm

[Polina]

For restores via Explorers, we use the device code flow, which requires a user to authenticate directly to Microsoft.
Restoring using just an app and certificate is possible via our REST APIs or PowerShell.

Thanks!