VBO Failing to Create All Azure Permissions

[mike.anderson]

Hi,

I wanted to post what appears to be a bug when adding an org using Modern Authentication without Legacy Protocols.

I must note, I really like this feature as it makes adding customers to the console easy, and it really streamlines the creation of the Azure App permissions. However, it consistently seems to leave out one important permission for restores.

Microsoft Graph - Delegated - EWS.AccessAsUser.All

This permission appears to never be created automatically, and without it, when doing Exchange restores, even with the AppImpersonation permission granted to the restore account, it gives the "Mailbox not found" error.

I have seen this error with regards to the App Impersonation, however, it also seems to appear when EWS.AccessAsUser.All is missing.

Just ran through this with a customer and as soon as we manually added the Microsoft Graph permission the restore went through right away.

All permissions can be seen here: https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50

As an aside, it's also worth noting the Office 365 Exchange Online permission for full_access_as_user has been renamed in O365 to EWS.AccessAsUser.All (this is not reflected in the KB).

Support Case# 04705939

[mike.anderson]

Updating to add it's version 5.0.1.179

[Polina]

Hi Michael,

Thanks for the heads up, I'll pass this information to our QA team for investigation.

[Polina]

Michael,

Are you seeing this issue repeatedly on different organizations, or it was a one-time?

We ran multiple tests today and all the required permissions were added correctly to the VBO application. What I did notice though is that the EWS.AccessAsUser.All has moved from Graph API to Office 365 Exchange Online, and our documentation now reflects this change. Also, not sure why you think that the full_access_as_user permission has been renamed, because from what I see it's still present.

[mike.anderson]

Hi Polina,

Support asked me to upgrade to the 207 build patch and try again: https://www.veeam.com/kb4124

I spun up a test environment, purged the old app out of my O365 org and readded with the new patch.

It worked fine and appeared to be the same, so I suspect maybe just a non issue in my case, or the customer I was working with had a delay in app impersonation permissions that kicked in while we were working on it.

I appreciate you guys updated the documentation.

I do not see full_access_as_user as a delegate permission in Office 365 Exchange Online.

[Polina]

Is your tenant in the Germany region? Cause otherwise, you should be looking for full_access_as_user Application, not Delegated.

[mike.anderson]

Hi Polina,

I am not in the Germany region, however, as per your KB here: https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50 this is supposed to be a delegated permission. Perhaps just a typo?

Thanks,
Michael

[Polina]

Pardon, my bad; these two look so similar that I made a typo.
full_access_as_user (Delegated) is only required for restore in organizations in the Germany region. If your tenant belongs to a Global/Worldwide, it's not needed.