MS deprecating Application Impersonation role

[ryan.christensen]

Can I get confirmation that this announcement by Microsoft will not affect Veeam for Microsoft 365?

Thanks,

[Mildur]

Hi Ryan

Yes, it will impact restores to M365 via Veeam Explorer for Exchange.
According to Microsoft it won't be possible to assign Impersonation permissions to new user accounts starting in May 2024.
Already assigned permissions will keep working until the beginning of 2025.

Our RnD teams are already working on an alternative solution and we plan to publish a kb on this issue soon.

Best,
Fabian

[sumeet]

Hi Fabian,

The restores that users run for their own mailbox, using restore portal - this will not be impacted - Correct ?

But a restore operator running the restore from portal is impacted by this change (as in this case the impersonation permission is required).

-Sumeet.

[Mildur]

Our restore portal does not require assigning the application impersonation role to Restore Operators.
End-user and restore operators will not be affected.

Best,
Fabian

[e.rottier]

Hi,

Today I've learned that MS is going to retire the ApplicationImpersonation role starting May 2024 untill February 2025.

we will completely remove this role and its feature set from Exchange Online.

I've checked if we got users in those roles and a few, including the RoleAssignee called "Veeam restore requirement".

My question is this: Is this change already implemented and can I remove the RoleAssignee? Or is this something that will be changed\removed from the list in a future update?

Microsoft source: https://techcommunity.microsoft.com/t5/ ... -p/4062671
PowerShell to check this after connecting to EXO:

Code: Select all

Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers

Thanks!

[Mildur]

Hello E.rottier

Please see my previous comment. Our teams are working on it.

Don't remove this role for now. It will continue to work till 2025 as long your user has the role assigned.
If you remove it, you may not be able to reassign it. Which locks you out from restore through Veeam Explorers.

Best,
Fabian

[e.rottier]

Hi Fabian,

Thanks, thanks for the info! Will do as advised.

I did try to search the forum, but probably used the wrong input.

Regards.

[Mildur]

Hi all

Today we have released a new update for Veeam Backup for Microsoft 365 v7a (P20240418 - 7.1.0.2031). It will allow you todo restores with Veeam Explorer for Exchange without the Application Impersonation role. Please see our KB for more enhancements and download links:
https://www.veeam.com/kb4533

New Features and Enhancements
Exchange data restore with Veeam Explorer for Microsoft Exchange now uses modern certificate-based authentication.

To restore exchange items, you have to select the authentication method "Modern authentication (certificate-based)".
The restore wizard will automatically select the application ID used by the backup job. You have to select the correct certificate used to authenticate against the application. If you don't know which certificate, you need to check the ID in your Entra ID admin portal (App registrations).

Best,
Fabian

[ar952]

I just discovered this thread while performing tests with the new v8.
Formerly we just created a separate account with application impersonation set up.
So with this account we would always be ready to run a restore without the need to assign the role first.
As far as I know and tested today, a specific account for restores should not be necessary in the future then.
Everything can be restored using the certificate method (at least for Exchange Online) or any Global Administrator (for everything else), right?

Now this might rather be a service provider topic, as it is only relevant when working with lots of different tenants, but the general topic in this thread is suitable.

The certificate with which the app registration was created for each tenant has to be present or uploaded as PFX when we want to perform a restore.
Since this is a automatically generated cert when adding a new tenant to the console, this certificate is present within the certificate store.
Unfortunately during restore, the thumbprint is only shown when a certificate is selected, making this a guessing game based on the expiration value when trying to select the right certificate.
Whenever I think I got the right certificate I need to check the shown thumbprint with the thumbprint within Entra.
This does not seem to be a viable option as it only slows down recovery processes and I need to provide additional training to every tech which performs recovery.
Could you implement a feature to at least show the certificate thumbprints and make them searchable within the GUI at that point?

A "premium feature" would be that you link the existing certificate in the store to the respective tenant if present, so the certificate is always chosen automatically.

A possible workaround would be to change the friendly name of all certificates to a specific internal customer identifier to be able to get the required certificate quickly through search in the GUI.
But I already created a script and went through hundreds of tenants to add the new required permissions for v8, which was already rather inconvenient (I hate the new Graph PS module...)...
Now I would need to retrieve all certificate thumbprints of every tenant and write yet another script to update the friendly name within the certificate store...
Also what happens when certificates become invalid in ten years (every automatically generated cert is valid for ten years), do we also have to exchange them manually?

In general with the recent changes it seems like nobody paid attention to service providers which now need to perform a lot of manual tasks (even though we automated as much as possible) to use the product as intended.

[ar952]

I implemented my mentioned workaround with renaming the friendly name of each certificate in the store.
Now the certificates are searchable and we are quickly able to select the right certificate when restoring.
This was already rather time consuming, as I had to retrieve the certificate thumbprint from the app registration of every tenant we manage...

Now I took a look at the newest v8 releases but it seems like there is no enhancement/new feature implemented.
@Fabian or @Veeam employees here: Is this even on the list of feature requests?
It just feels like nobody cares.
Upgrading from v7 to v8 was by far the most time consuming upgrade for us (new app permissions and so on).

[DaStivi]

i'll had a customer today where we couldn't restore with Veeam exchange online explorer anymore because of some error " The HTTP Request was forbidden with client authenication scheme 'Anonymous"


turned out it must have todo with the application impersonation deprecation... restores worked like a week before. (Restore working with the Restore Portal without issues!)
after using certificated based auth. restore worked just fine!

in the Logs there where errors like:

[17.04.2025 05:20:13.482] 39 (1) [Info] Opening root folder using impersonation...
[17.04.2025 05:20:13.495] 39 (1) [Info] Opening mailbox (user: abc@xyz.com)...
[17.04.2025 05:20:16.914] 39 (1) [Info] Opening root folder without impersonation...
[17.04.2025 05:20:16.914] 39 (1) [Info] Checking if current account mailbox exists...
[17.04.2025 05:20:16.915] 39 (1) [Info] Opening mailbox (user: )...
[17.04.2025 05:20:17.373] 39 (1) [Info] mailbox found
[17.04.2025 05:20:17.374] 39 (1) [Info] Opening mailbox (user: abc@xyz.com)...
[17.04.2025 05:20:17.433] 31 (1) [Info] Exchange Web Services error code: ErrorItemNotFound
[17.04.2025 05:20:17.434] 31 (1) [Warning] Warning: Exchange Web Services request failed
[17.04.2025 05:20:17.443] 31 (1) [Warning] Warning: Failed to access mailbox.
[17.04.2025 05:20:17.443] 31 (1) [Warning] Type: Veeam.Ews.Internal.ExServerCodeException
[17.04.2025 05:20:17.443] 31 (1) [Warning] Stack:
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExError.Throw(ExServerCodeException error, RequestInfo requestInfo, String format, Object[] args)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExError.HandleExceptionOrThrow(ExceptionDispatchInfo dispatchInfo, RequestInfo requestInfo, String format, Object[] args)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExError.CatchAsync(Task task, IRequestInfoProvider requestInfoProvider, String format, Object[] args)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExError.CatchAsync[T](Task`1 task, IRequestInfoProvider requestInfoProvider, String format, Object[] args)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExMailbox.GetWellKnownFolderAsync(String mail, DistinguishedFolderIdNameType id, IReadOnlyDictionary`2 requestProps, ILogger logger, CancellationToken cancellationToken)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExMailbox.GetWellKnownFolderAsync(DistinguishedFolderIdNameType id, IReadOnlyDictionary`2 requestProps, CancellationToken cancellationToken)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExMailbox.GetMsgRootFolderAsync(IReadOnlyDictionary`2 requestProps, CancellationToken cancellationToken)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.Retry.FolderRetry.<>c__DisplayClass43_0`1.<<ProcessAsync>g__InvokeAsync|0>d.MoveNext()
[17.04.2025 05:20:17.443] 31 (1) [Warning] --- End of stack trace from previous location ---
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.Retry.FolderRetry.ProcessAsync(Func`1 action)
[17.04.2025 05:20:17.443] 31 (1) [Warning] EWS Request Info: RequestInfo { ClientRequestId = 45b2bda6-2a1c-496e-8b79-eef2249c0f89, ServerRequestId = c663159e-709b-8668-2a12-6c88be7e9345, DateHeader = Thu, 17 Apr 2025 03:20:17 GMT }
[17.04.2025 05:20:17.443] 31 (1) [Warning] Warning: The specified object was not found in the store., Default folder Root not found.
[17.04.2025 05:20:17.443] 31 (1) [Warning] Type: Veeam.Ews.Internal.ExServerCodeException
[17.04.2025 05:20:17.443] 31 (1) [Warning] Stack:
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.Internal.ResponseMessageTypeExtension.ThrowIfError(ResponseMessageType item, RequestInfo requestInfo)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.Internal.BaseResponseMessageTypeExtension.GetItems[T](BaseResponseMessageType response, RequestInfo requestInfo)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.Internal.BaseResponseMessageTypeExtension.GetMessage[T](BaseResponseMessageType response, RequestInfo requestInfo)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExMailbox.GetFolderAsync(GetFolderType folderType, CancellationToken cancellationToken)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExMailbox.GetFolderAsync(BaseFolderIdType id, IReadOnlyDictionary`2 requestProps, Boolean isTeamsMessagesData, CancellationToken cancellationToken)
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExError.<>c__DisplayClass3_0`1.<<CatchAsync>g__InvokeAsync|0>d.MoveNext()
[17.04.2025 05:20:17.443] 31 (1) [Warning] --- End of stack trace from previous location ---
[17.04.2025 05:20:17.443] 31 (1) [Warning] at Veeam.Ews.ExError.CatchAsync(Task task, IRequestInfoProvider requestInfoProvider, String format, Object[] args)
[17.04.2025 05:20:17.443] 31 (1) [Warning] EWS Request Info: RequestInfo { ClientRequestId = 45b2bda6-2a1c-496e-8b79-eef2249c0f89, ServerRequestId = c663159e-709b-8668-2a12-6c88be7e9345, DateHeader = Thu, 17 Apr 2025 03:20:17 GMT }
[17.04.2025 05:20:17.443] 31 (1) [Info] Retry count: 0

[17.04.2025 05:20:47.609] 29 (1) [Info] Waiting before next processing attempt: 00:00:10...
[17.04.2025 05:20:57.610] 29 (1) [Info] Trying to resume...
[17.04.2025 05:20:57.611] 29 (1) [Info] Opening mailbox (user: abc@xyz.com)...
[17.04.2025 05:20:57.690] 29 (1) [Info] Exchange Web Services error code: ErrorItemNotFound
[17.04.2025 05:20:57.690] 29 (1) [Warning] Warning: Exchange Web Services request failed
[17.04.2025 05:20:57.691] 29 (1) [Warning] Warning: Failed to access mailbox.

looks like Microsoft is gooing to disable this feature now

[t7MevELx0]

Yeah, I haven’t been able to restore to another mailbox using the Explorers either. I originally thought it was an issue with the tenant, but after reading through this thread, I realized Microsoft is disabling this functionality. I even opened a ticket with Microsoft, but the support rep had no idea about it.