VBO - Restore Permissions with MFA

[mamosorre84]

Hi all,

I've a doubt with correct permissions needed for restore Office 365 email/objects (no Sharepoint/One Drive).

I'm using the latest VBO version 4c, AAD service account with MFA enabled, security defaults disabled, application with secret created.

The backup job work without any problem, but if I try to restore something using modern authentication I receive an error at the end of the procedure.

AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'

Do you think I'm doing it wrong (I can't use MFA both for backup/restore in my case) or I probably forgot some permissions?

PS: using a service account with MFA disabled the restore with basic authentication ends successfully

Thank you

Marco S.

[Polina]

Hi Marco,

For restores, selecting Modern auth means that are you going to restore the data using application credentials only. The required permissions for such an application are covered here.
When selecting Basic auth to restore to a tenant with disabled Security Defaults, you can use either a non-MFA account (username and regular password) or an MFA-enabled user account (username + app password).

Thanks!

[mamosorre84]

Hi Polina,

thank you for the explanation.

I've checked again the required permissions, they were correct.

The solution, in my case, was to set the "Default Client Type" to yes under AAD --> App Registrations --> Veeam App --> Authentication

I don't know if this parameter is necessary for all VBO configurations, I don't find it in the official docs.

Marco S.

[Polina]

Hi Marco,

This parameter is required when using the Device Code flow for adding an organization or restoring data in the Modern app-only Authentication mode.
We'll include this into product documentation, thank you for noticing this!

[mamosorre84]

Thank you for the feedback!