Azure App Creds Expiring

[pufferdude]

I got an alert from MS that the "client secret" for an app named "VeeamAzureAppxxxxxxxxxxxxx" is expiring soon. Fine. So I go to the app in Entra to try and figure out WHAT part of Veeam is using this stupid thing, but since it was CREATED by Veeam (not manually), there is no description... sigh. So far, I have been unable to determine anything about this app, other than its about to expire. There are no sign-in or audit logs for it in the last 30 days, either.

The candidates for me are:
- Maybe it's used by my "backup VMs to Azure" (via Veeam Cloud Vault thingy) job?
- Maybe it's used by my "backup Azure blob storage" job?
- Maybe it's from our OLD M365 backup that we no longer use? (we stopped using that almost a year ago... so the timing fits-ish)

At this point I'm ready to just let the creds expire and see what breaks, unless anyone can tell me a way to look on the Veeam side to determine WHAT is using this app?

[Mildur]

Hi Jim

I moved it, as it has nothing todo with Veeam Data Cloud for Microsoft 365.

Maybe it's used by my "backup VMs to Azure" (via Veeam Cloud Vault thingy) job?

There’s no application for this VDC service in your tenant — the registration is on Veeam’s Azure tenant.

Maybe it's from our OLD M365 backup that we no longer use?

During M365 registration, you specify the application name. The VeeamAzureAppxxxxxxxxxxxxx wouldn’t be used for that.
For Azure Blob repositories in Veeam Backup for Microsoft 365, you can run Get-VBOAzureServiceAccount to list the application ID and compare it with those shown in the Entra ID admin portal.

- Maybe it's used by my "backup Azure blob storage" job?

You can check the registered application IDs on your backup server using PowerShell and compare them to the expired one in the Entra ID admin portal:
- Get-VBRAzureBlobAccount
- Get-VBRAzureADAccount

Best,
Fabian

[pufferdude]

Thanks! That helps, but the mystery deepens...

Get-VBOAzureServiceAccount -> Returns nothing

Get-VBRAzureBlobAccount -> Returns
Id Name Description
-- ---- -----------
d785832a-xxxx-xxxx-xxxx-xxxxxxxxx thecrossing Azure blobs for Rock
a9d1a834-xxxx-xxxx-xxxx-xxxxxxxxx vdvstorageprdusxxxxxx Veeam Data Cloud Vault credentials

and those Ids don't correlate to anything I see in the Entra app

And Get-VBRAzureADAccount -> Returns

Region : Global
StorageAccountName : vdvstorageprdusxxxxx
TenantId : 765d554b-xxxx-xxxx-xxxx-xxxxxxxxx
ApplicationId : 1e8b7759-xxxx-xxxx-xxxx-xxxxxxxxx
Id : a9d1a834-xxxx-xxxx-xxxx-xxxxxxxxx
Name : vdvstorageprdusxxxx
Description : Veeam Data Cloud Vault credentials

But that AppId doesn't match, and the Tenant Id isn't even my M365 tenant the app lives in.

Soooo... my best guess at this point is that it's related to the "Azure blobs backup for Rock" job. Because it's not terribly risky, I think I'll just let it expire and see what happens before changing anything.

Thanks for the pointers!