Veeam Backup for Microsoft Office 365 3.0 [Archived]
User Guide
Related documents
RESTful API ReferencePowerShell ReferenceVeeam Explorers User GuideVeeam Explorers PowerShell Reference
Search
This is an archive version of the document. To get the most up-to-date information, see the current version.

Required Permissions

In this article

    Continue with this section to learn how to configure user accounts.

    In This Section

    Required Permissions for Veeam Backup for Microsoft Office 365

    Veeam Backup for Microsoft Office 365 requires a Local System account for the following services:

    Required Permissions Note:

    The Local System account must not be changed.

    Required Permissions for Microsoft SharePoint and OneDrive for Business Organizations

    The account you are using to connect to Microsoft SharePoint organizations (on-premises or Online) must belong to that organization and must conform to the following:

    The account being used must be a member of the Farm Administrator group and must have the Site Collection Administrator role. This role can be assigned either automatically, when adding a new organization with SharePoint services, or manually, as described in Microsoft Organizations Management.

    • For Microsoft SharePoint Online organizations.

    The account being used must have either the Global Administrator role or SharePoint Administrator role.

    Required Permissions Note:

    The addition of Microsoft SharePoint Online organizations requires both the view-only configuration and view-only recipients roles to be assigned to the account.

    Assigning SharePoint Service Administrator role in PowerShell

    To assign the SharePoint Service Administrator role using PowerShell (for Microsoft SharePoint Online organizations), use the following code snippet.

    Connect-MsolService

    $role=Get-MsolRole -RoleName "SharePoint Service Administrator"

    $accountname=example@domain.com

    Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name

    The MSOL module can be downloaded from this Microsoft page.

    The $accountname variable must be a user's UPN (e.g. example@domain.com).

    Required Permissions for Microsoft Exchange Organizations

    The account you are using to connect to Microsoft Exchange organizations (on-premises or Online) must belong to that organization and must have the following Exchange roles assigned:

    This role is required to grant the ApplicationImpersonation role.

    Can be assigned:

    • Organization Configuration

    This role is required to manage role assignments.

    • View-Only Configuration

    This role is required to obtain necessary configuration parameters.

    • View-Only Recipients

    This role is required to view mailbox recipients (required for backup job creation).

    • Mailbox Search or Mail Recipients

    Either role is required to back up groups.

    • Reviewer or Owner

    Either role is required to use impersonation to backup/restore public folders under the Default user.

    Assigning ApplicationImpersonation Role via PowerShell

    For On-Premises Microsoft Exchange Organizations

    To assign the ApplicationImpersonation role for on-premises Microsoft Exchange organizations, do the following:

    1. Connect to the Exchange server, as described in this Microsoft article.
    1. Run the following cmdlet to grant the role.

    New-ManagementRoleAssignment –Role ApplicationImpersonation –User "Administrator"

    For Microsoft Office 365 Exchange Organizations

    To assign the ApplicationImpersonation role for Microsoft Office 365 Exchange organizations, do the following:

    1. Connect to the Exchange server:
    1. Run the following cmdlet to grant the role.

    New-ManagementRoleAssignment –Role ApplicationImpersonation –User user.name@domain.com

    To obtain the list of users whom the ApplicationImpersonation role has already been granted, use the following cmdlet (for both on-premises and Online organizations).

    Get-ManagementRoleAssignment -Role "ApplicationImpersonation"

    To remove the role, use the following cmdlet (for both on-premises and Online organizations).

    Get-ManagementRoleAssignment -RoleAssignee "Administrator" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment

    Required Permissions for Microsoft Graph

    For more information, see Understanding Microsoft Graph.

    Required Permissions for Restore

    For more information about how to configure user accounts to restore data, see:

    I want to report a typo

    There is a misspelling right here:

     

    I want to let the Veeam Documentation Team know about that.