Permissions
The following table lists the user account permissions necessary to launch Veeam Explorer for Microsoft Exchange and restore Microsoft Exchange data.
Operation | Required Roles and Permissions |
---|---|
Veeam Explorer for Microsoft Exchange launch | The account used to run Veeam Explorer for Microsoft Exchange must meet the following requirements:
|
Restore to Microsoft 365 and on-premises Microsoft Exchange | To restore data to Microsoft 365 and on-premises Microsoft Exchange organizations, you must grant the following roles and permissions to user accounts: Restore to Public Folder Using Basic Authentication Method
Restore to Mailbox Using Basic Authentication Method
Restore Using Modern Authentication Method Microsoft Entra application uses a user account to log in to Microsoft 365. This user account must be assigned the following roles:
Keep in mind that the ApplicationImpersonation role for Exchange Online will be soon removed by Microsoft. For more information, see this Microsoft article. This role is required to restore Microsoft Exchange data using modern authentication with a one-time authentication code. The Microsoft Entra application must be granted permissions of the Delegated type for Exchange Online. For more information, see the Restore Using Device Code Flow section of the Veeam Backup for Microsoft 365 User Guide. It is recommended that you use modern authentication with the Microsoft Entra application certificate to restore Microsoft Exchange data. The Microsoft Entra application must be granted permissions of the Application type for Exchange Online. For more information, see the Restore Using Application Certificate section of the Veeam Backup for Microsoft 365 User Guide. Also make sure that the required settings are specified for the Microsoft Entra application used for restore. For more information, see the Configuring Microsoft Entra Application Settings section of the Veeam Backup for Microsoft 365 User Guide. |
Compare Data with Production Environment | The Veeam Backup account must have a valid Exchange Online license and an active mailbox within the Microsoft 365 organization. |
Examples
Adding User Account to Organization Management Role Group
To add user account to the Organization Management role group, use the following cmdlet:
Add-RoleGroupMember "Organization Management" –Member "<user_account>" |
For more information about the Add-RoleGroupMember cmdlet, see this Microsoft article.
To grant Full Access to the account that owns a mailbox, use the following cmdlet:
Add-MailboxPermission –Identity "<target_mailbox>" -User "<user_account>" -AccessRights FullAccess –InheritanceType All |
For more information about the Add-MailboxPermission cmdlet, see this Microsoft article.
To grant Full Access to the account that does not own a mailbox (in particular, through impersonation), use the following cmdlet:
New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>" |
For more information about the New-ManagementRoleAssignment cmdlet, see this Microsoft article.
Recalling Given Permissions
To recall given access level, run one of the following cmdlets:
Remove-ManagementRoleAssignment "<role_name>" |
Remove-ManagementRoleAssignment -Identity "<role_name>" |