Maintain control of your Microsoft 365 data
Post Reply
mike.anderson
Service Provider
Posts: 19
Liked: 5 times
Joined: Jul 02, 2019 8:06 pm
Full Name: Michael anderson
Contact:

VBO Failing to Create All Azure Permissions

Post by mike.anderson »

Hi,

I wanted to post what appears to be a bug when adding an org using Modern Authentication without Legacy Protocols.

I must note, I really like this feature as it makes adding customers to the console easy, and it really streamlines the creation of the Azure App permissions. However, it consistently seems to leave out one important permission for restores.

Microsoft Graph - Delegated - EWS.AccessAsUser.All

This permission appears to never be created automatically, and without it, when doing Exchange restores, even with the AppImpersonation permission granted to the restore account, it gives the "Mailbox not found" error.

I have seen this error with regards to the App Impersonation, however, it also seems to appear when EWS.AccessAsUser.All is missing.

Just ran through this with a customer and as soon as we manually added the Microsoft Graph permission the restore went through right away.

All permissions can be seen here: https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50

As an aside, it's also worth noting the Office 365 Exchange Online permission for full_access_as_user has been renamed in O365 to EWS.AccessAsUser.All (this is not reflected in the KB).

Support Case# 04705939
mike.anderson
Service Provider
Posts: 19
Liked: 5 times
Joined: Jul 02, 2019 8:06 pm
Full Name: Michael anderson
Contact:

Re: VBO Failing to Create All Azure Permissions

Post by mike.anderson »

Updating to add it's version 5.0.1.179
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: VBO Failing to Create All Azure Permissions

Post by Polina »

Hi Michael,

Thanks for the heads up, I'll pass this information to our QA team for investigation.
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: VBO Failing to Create All Azure Permissions

Post by Polina »

Michael,

Are you seeing this issue repeatedly on different organizations, or it was a one-time?

We ran multiple tests today and all the required permissions were added correctly to the VBO application. What I did notice though is that the EWS.AccessAsUser.All has moved from Graph API to Office 365 Exchange Online, and our documentation now reflects this change. Also, not sure why you think that the full_access_as_user permission has been renamed, because from what I see it's still present.
mike.anderson
Service Provider
Posts: 19
Liked: 5 times
Joined: Jul 02, 2019 8:06 pm
Full Name: Michael anderson
Contact:

Re: VBO Failing to Create All Azure Permissions

Post by mike.anderson »

Hi Polina,

Support asked me to upgrade to the 207 build patch and try again: https://www.veeam.com/kb4124

I spun up a test environment, purged the old app out of my O365 org and readded with the new patch.

It worked fine and appeared to be the same, so I suspect maybe just a non issue in my case, or the customer I was working with had a delay in app impersonation permissions that kicked in while we were working on it.

I appreciate you guys updated the documentation.

I do not see full_access_as_user as a delegate permission in Office 365 Exchange Online.

Image
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: VBO Failing to Create All Azure Permissions

Post by Polina »

Is your tenant in the Germany region? Cause otherwise, you should be looking for full_access_as_user Application, not Delegated.
mike.anderson
Service Provider
Posts: 19
Liked: 5 times
Joined: Jul 02, 2019 8:06 pm
Full Name: Michael anderson
Contact:

Re: VBO Failing to Create All Azure Permissions

Post by mike.anderson »

Hi Polina,

I am not in the Germany region, however, as per your KB here: https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50 this is supposed to be a delegated permission. Perhaps just a typo?

Thanks,
Michael
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: VBO Failing to Create All Azure Permissions

Post by Polina »

Pardon, my bad; these two look so similar that I made a typo.
full_access_as_user (Delegated) is only required for restore in organizations in the Germany region. If your tenant belongs to a Global/Worldwide, it's not needed.
Post Reply

Who is online

Users browsing this forum: No registered users and 15 guests