Maintain control of your Microsoft Office 365 data
Post Reply
daven3
Lurker
Posts: 2
Liked: never
Joined: Apr 01, 2021 10:52 am
Full Name: dave
Contact:

Public folder backup - which authentication method, what config before Veeam?

Post by daven3 »

i am testing Veeam Backup for Microsoft Office 365 5.0 community edition.
i have to backup and restore public folders on exchange online.

I must use: Modern authentication with legacy authentication protocols
As there is a warning:
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50
If you are backing up public folder mailboxes, the Veeam Backup account must have a valid Exchange Online license and an active mailbox within the Microsoft Office 365 organization.

Am i correct to assume that "Modern authentication with legacy authentication protocols" method does not automatically create the Azure AD Application?
(whereas the modern app-only application can do so)

Now refer to: https://www.veeam.com/kb2969
see title: Veeam service account permissions
This links to what roles should be assigned to Exchange role group; says the "reviewer" or "owner" role are needed in the group. But no such admin role exists in our Exchange Admin Centre.

Does this perhaps mean i should assign "reviewer" role to each public folder directly to the veeam service user?

Am i correct to think the veeam service user has to be created first with an Exchange online licence.
Then granted the reviewer role to the public folders.
Then assigned the new Authentication policy ( Set-User -Identity <UserIdentity> -AuthenticationPolicy "Allow Basic Auth" )
Then obtain an app password (after the removal of the default security policy, enforcing MFA and logging in as the veeam service user to initiate the MFA process).

Am i correct that since the veeam service user and azure AD app are already created i do not need to provide the Add Organization Wizard with a user with global administrator role to log into MS 365 as this is now via basic authentication (app password)?
Which is different from Veeam wizard when using Modern app-only authentication see: https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50

Does this cover it? Anything else i have missed?
Any help gratefully received.
Thanks.

Polina
Veeam Software
Posts: 1726
Liked: 349 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Public folder backup - which authentication method, what config before Veeam?

Post by Polina » 1 person likes this post

Hi Dave,

1) You're right. If you use Modern auth with legacy protocols allowed, VBO doesn't create an Azure app automatically. You need to create it in your tenant and assign the required permissions in advance.

2) The 'owner'/'reviewer' roles are assigned on a folder level. This article describes it in more details: https://docs.microsoft.com/en-us/exchan ... lic-folder

3) To back up public folders, your backup account must have an Exchange Online license. Check out this Veeam KB on public folders backup: https://www.veeam.com/kb4033.

4) Correct. You create an Azure app in advance and your backup account doesn't necessarily need to be a Global Admin. Instead, it can be a user account assigned with the roles listed here: https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50. When adding an organization to VBO, you will need to provide a username and an app password for authentication.

Hope it helps.

Thanks!

daven3
Lurker
Posts: 2
Liked: never
Joined: Apr 01, 2021 10:52 am
Full Name: dave
Contact:

Re: Public folder backup - which authentication method, what config before Veeam?

Post by daven3 »

Thanks for the info.
Do i still need to manually edit proxy.xml?
As the Add Organization Wizard knows that we have selected "Modern authentication with legacy authentication protocols " hence need public folder backup, I am thinking perhaps the wizard configures the .xml with this in mind.
Based on: https://www.veeam.com/kb4033 which recommends editing Proxy.xml to disable impersonation mode for public folders and instead requires veeam service account to have email licence and owner role on root public folder and its sub public folders
(following change in way ms 365 prevents Default user accessing Public Folder even if Owner role assigned to Default user - which is 1 of the 2 workarounds mentioned at https://www.veeam.com/kb3093 )

Polina
Veeam Software
Posts: 1726
Liked: 349 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Public folder backup - which authentication method, what config before Veeam?

Post by Polina »

If you're running VBO v5, it works out of the box without any manual edits. Just make sure that your service account has a license, a mailbox, and is assigned with the Owner role.

And thanks to your comment I now see that KB4033 needs to be updated with the applicable product versions; we'll fix this ASAP.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests