Restores back to M365 Requiring Authorization Every Time

[ratkinsonuk]

Our connection from VBO to M365 is via an AD Application generated through the Veeam wizard, and using Modern Authentication only. Backups, etc work fine, but we've found every time we try and restore anything, the Restore wizard generates a Microsoft '\devicelogin' token which then requires a Global Admin to authenticate.

Although technically this isn't a Veeam problem, others on this forum must have come up against the same issue. Is there a way to stop this so that the connection is always authenticated? It happens for the backup process, so I'd assume is possible for restores?

Cheers, Rob.

[Polina]

Hi Rob,

Authentication is valid for a single restore session only and this inconvenience is the trade-off to ensure security with the least previliged permissions possible. While backup operations need to be continuous, restore is an on-demand operation where user interaction is expected, right?

[ratkinsonuk]

Hi Polina. I can see where you're coming from. Our problem, and probably many others too, is that I manage Veeam backup and restores, but another team manages M365. I have to get one of a handful of people to login with the token within a few minutes of it being generated. As you can imagine, this is going to be a nightmare going forward if we have lots of email restores to do.

Do you have any suggestions on what the M365 admin account would look like that gives me the minimum privileges to be able to authorize the token each time?

Cheers, Rob.

[Polina]

Will an Exchange Admin account be an option for you?

[ratkinsonuk]

I honestly don't know. I've pushed this problem back to our design architects to work through, as I don't even have access to the M365 environment to view how it's set up so I can help them with suggestions.

My hope is that you've tackled this problem internally, and may have a recommended approach? If not, then don't worry. I understand it's not a Veeam issue and that we should understand how to configure our 365 environment before we migrate over to it......ok, so back in the real world!

[Mike Resseler]

Actually,

@ratkinsonuk I would love to hear what your design architects have to say. You are (partially) right that it should not be Veeam's concern, but maybe we can make (longer future) improvements that help many others with these type of problems.