Maintain control of your Microsoft 365 data
Post Reply
sumeet
Service Provider
Posts: 283
Liked: 54 times
Joined: Apr 23, 2021 6:40 am
Full Name: Sumeet P
Contact:

v8.5 new permissions instead of EWS access

Post by sumeet »

Hello,

Did v8.5 upgrade. Upgrade successful - thanks.
Post upgrade, to apply the new permissions https://www.veeam.com/kb4820 for EWS retirement, I did the steps in post upgrade section - https://helpcenter.veeam.com/docs/vbo36 ... pplication
Checked the Entra App in azure and I do not see the new permissions.

Ok, maybe the new permissions do not apply with edit organization.
I did the steps to create a new Entra App amd still do not see the new permissions for MailboxItems - https://www.veeam.com/kb4820

Except for the User.Read.All - which already existed, prior to v8.5 upgrade, none of the new permissions from the KB for Miailbox has been applied?

Is this expected? I don't think so. I was hoping Veeam to create the new permissions.

Without the new permissions, the backups for mailbox continue to work - does this mean that post v8.5 upgrade, even if the new permissions are not applied the backup will continue to use EWS permissions, until they expire?
I was hoping the backups to fail. How do we know post upgrade that new permissions are being used and not the old EWS.

Also the documentation does not say that after applying new permisisons, what permissions to remove, which were for EWS and no longer required.
Polina
Veeam Software
Posts: 4059
Liked: 1046 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v8.5 new permissions instead of EWS access

Post by Polina »

Hi Sumeet,

Forceful assignment of the new pemissions has been postponed indeed by our RND due to the change in Microsoft deadlines, and the behavior you see is expected. We plan to change it with the next product update/patch.

Thanks!
sumeet
Service Provider
Posts: 283
Liked: 54 times
Joined: Apr 23, 2021 6:40 am
Full Name: Sumeet P
Contact:

Re: v8.5 new permissions instead of EWS access

Post by sumeet »

Hi Polina,

Is this listed anywhere in the documentation?

Ok, so this answers some of my other questions - why the backups continue to work without the new permissions. Because they are still using EWS.

Please help with more details for the other questions in my above msg.
If I manually apply the new permissions, how do I know that new permissions are being used and not the old EWS.
Also, can I remove the EWS related permissions - if yes, please let me know which ones.

The only reason I was keen on this is because of this KB - https://www.veeam.com/kb4796
There are failures for many mailboxes, so instead of doing that for each mailbox, I was hoping to upgrade to v8.5 and then apply the new permissions.
tm67
Veeam Legend
Posts: 238
Liked: 89 times
Joined: Feb 21, 2023 4:44 pm
Full Name: Timo Marfurt
Location: Switzerland
Contact:

Re: v8.5 new permissions instead of EWS access

Post by tm67 »

Hi Polina
We have a lot of customers, I just want to confirm the current situation and action plan:
This KB is final, there are no more permissions required for the EWS deprecation: https://www.veeam.com/kb4820
So my plan is to update all app registrations of all customers with the new permissions. This can be done today

8.5 got released, but realistically it does not change anything regarding the EWS deprecation.
So, with the current date of 1. October, Veeam will release an update (8.6) which has to be installed before 1. October. I will advise the customers they can upgrade to 8.5 but they still need to upgrade to 8.6 in a few weeks.

Is this correct?
Timo
Polina
Veeam Software
Posts: 4059
Liked: 1046 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v8.5 new permissions instead of EWS access

Post by Polina »

@sumeet

1) If you manually apply permissions, they won't be used until a further change (product update) from Veeam, which will essentially activate the use of Graph APIs. Technically, with those permissions already in place today, you are prepared for any unexpected scenarios — if for whatever reason Microsoft blocks EWS earlier, Veeam will address it quickly with a patch that will activate the use of Graph APIs, and your backup applications would already be fully prepared for that.

2) No, you cannot remove any permissions required for EWS until further notice from Veeam. Work on the complete switch to Graph APIs for Exchange Online backup will continue in Q3 — there are still many technical gaps that must first be addressed by Microsoft and then correspondingly by Veeam. If you remove EWS permissions today, your mailbox backup and restore will stop working.

@t@tm67

KB4820 reflects the current state and will be updated should anything change (i.e. Microsoft changes their plans once again).
The list of permissions is final, I don't foresee any changes to it.
v8.5 brings very important thing - engine readiness; even if it doesn't use Graph already today, it's ready to do so at any moment. Installing a next product update will be needed indeed, but I can't say yet if it's going to be v8.6 or a patch for 8.5.
Post Reply

Who is online

Users browsing this forum: Google [Bot], Sieben and 5 guests