MS deprecating Application Impersonation role

[ryan.christensen]

Can I get confirmation that this announcement by Microsoft will not affect Veeam for Microsoft 365?

Thanks,

[Mildur]

Hi Ryan

Yes, it will impact restores to M365 via Veeam Explorer for Exchange.
According to Microsoft it won't be possible to assign Impersonation permissions to new user accounts starting in May 2024.
Already assigned permissions will keep working until the beginning of 2025.

Our RnD teams are already working on an alternative solution and we plan to publish a kb on this issue soon.

Best,
Fabian

[sumeet]

Hi Fabian,

The restores that users run for their own mailbox, using restore portal - this will not be impacted - Correct ?

But a restore operator running the restore from portal is impacted by this change (as in this case the impersonation permission is required).

-Sumeet.

[Mildur]

Our restore portal does not require assigning the application impersonation role to Restore Operators.
End-user and restore operators will not be affected.

Best,
Fabian

[e.rottier]

Hi,

Today I've learned that MS is going to retire the ApplicationImpersonation role starting May 2024 untill February 2025.

we will completely remove this role and its feature set from Exchange Online.

I've checked if we got users in those roles and a few, including the RoleAssignee called "Veeam restore requirement".

My question is this: Is this change already implemented and can I remove the RoleAssignee? Or is this something that will be changed\removed from the list in a future update?

Microsoft source: https://techcommunity.microsoft.com/t5/ ... -p/4062671
PowerShell to check this after connecting to EXO:

Code: Select all

Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers

Thanks!

[Mildur]

Hello E.rottier

Please see my previous comment. Our teams are working on it.

Don't remove this role for now. It will continue to work till 2025 as long your user has the role assigned.
If you remove it, you may not be able to reassign it. Which locks you out from restore through Veeam Explorers.

Best,
Fabian

[e.rottier]

Hi Fabian,

Thanks, thanks for the info! Will do as advised.

I did try to search the forum, but probably used the wrong input.

Regards.

[Mildur]

Hi all

Today we have released a new update for Veeam Backup for Microsoft 365 v7a (P20240418 - 7.1.0.2031). It will allow you todo restores with Veeam Explorer for Exchange without the Application Impersonation role. Please see our KB for more enhancements and download links:
https://www.veeam.com/kb4533

New Features and Enhancements
Exchange data restore with Veeam Explorer for Microsoft Exchange now uses modern certificate-based authentication.

To restore exchange items, you have to select the authentication method "Modern authentication (certificate-based)".
The restore wizard will automatically select the application ID used by the backup job. You have to select the correct certificate used to authenticate against the application. If you don't know which certificate, you need to check the ID in your Entra ID admin portal (App registrations).

Best,
Fabian

[ar952]

I just discovered this thread while performing tests with the new v8.
Formerly we just created a separate account with application impersonation set up.
So with this account we would always be ready to run a restore without the need to assign the role first.
As far as I know and tested today, a specific account for restores should not be necessary in the future then.
Everything can be restored using the certificate method (at least for Exchange Online) or any Global Administrator (for everything else), right?

Now this might rather be a service provider topic, as it is only relevant when working with lots of different tenants, but the general topic in this thread is suitable.

The certificate with which the app registration was created for each tenant has to be present or uploaded as PFX when we want to perform a restore.
Since this is a automatically generated cert when adding a new tenant to the console, this certificate is present within the certificate store.
Unfortunately during restore, the thumbprint is only shown when a certificate is selected, making this a guessing game based on the expiration value when trying to select the right certificate.
Whenever I think I got the right certificate I need to check the shown thumbprint with the thumbprint within Entra.
This does not seem to be a viable option as it only slows down recovery processes and I need to provide additional training to every tech which performs recovery.
Could you implement a feature to at least show the certificate thumbprints and make them searchable within the GUI at that point?

A "premium feature" would be that you link the existing certificate in the store to the respective tenant if present, so the certificate is always chosen automatically.

A possible workaround would be to change the friendly name of all certificates to a specific internal customer identifier to be able to get the required certificate quickly through search in the GUI.
But I already created a script and went through hundreds of tenants to add the new required permissions for v8, which was already rather inconvenient (I hate the new Graph PS module...)...
Now I would need to retrieve all certificate thumbprints of every tenant and write yet another script to update the friendly name within the certificate store...
Also what happens when certificates become invalid in ten years (every automatically generated cert is valid for ten years), do we also have to exchange them manually?

In general with the recent changes it seems like nobody paid attention to service providers which now need to perform a lot of manual tasks (even though we automated as much as possible) to use the product as intended.

[ar952]

I implemented my mentioned workaround with renaming the friendly name of each certificate in the store.
Now the certificates are searchable and we are quickly able to select the right certificate when restoring.
This was already rather time consuming, as I had to retrieve the certificate thumbprint from the app registration of every tenant we manage...

Now I took a look at the newest v8 releases but it seems like there is no enhancement/new feature implemented.
@Fabian or @Veeam employees here: Is this even on the list of feature requests?
It just feels like nobody cares.
Upgrading from v7 to v8 was by far the most time consuming upgrade for us (new app permissions and so on).