Modern Authentication - Global Administrator

[BuffaloBucks]

When setting up Mail Server Settings to receive email notifications from the VeeamONE client and using Microsoft 365 (Modern Authentication), a Microsoft account with Global Administrator permissions is required to complete the process. This is not the most secure way to do this for the following reasons:
1.) The user has no way of knowing what your application will create, or what permissions it will grant until after the fact.
2.) It violates the principle of lease privilege.
3.) It reduces the user's trust and confidence in your app.

Instead of requesting Global Administrator sign-in, following these best practices for app integration with Microsoft 365:
1.) Use the Azure AD app registration portal.
2.) Use the delegated or application permissions model.

My co-worker wrote up this in greater detail here as he has spent years working on these types of integrations:
https://www.linkedin.com/pulse/plea-dev ... 440g%3D%3D

Please consider this when revising the next version of VeeamONE.

[jorgedlcruz]

Hello,
Thank you very much for the idea, and content. We have this documented on other products, but it is true that it should be under Veeam ONE as well, especially, because you can just create your own app and not letting Veeam touch anything:
https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=80

I will ask tech writers to improve this part of the documentation, thank you very much.

[Mildur]

And Veeam Backup & Replication documents the process with nice screenshots
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian

[BuffaloBucks]

Thanks. Updated documentation would be great.