Permissions

The following table lists the user account permissions necessary to launch Veeam Explorer for Microsoft Exchange and restore Microsoft Exchange data.

Operation

Required Roles and Permissions

Veeam Explorer for Microsoft Exchange launch

The account used to run Veeam Explorer for Microsoft Exchange must meet the following requirements:

  • The account must be a member of the local Administrators group.
  • The account must have the Veeam Backup Administrator role on the backup server.

Restore to Microsoft 365 and on-premises Microsoft Exchange

To restore data to Microsoft 365 and on-premises Microsoft Exchange organizations, you must grant the following roles and permissions to user accounts:

Restore to Public Folder Using Basic Authentication Method

  • The account must own a mailbox on a target Microsoft Exchange server.
  • The account must be a member of the Organization Management role group on a target Microsoft Exchange server. See Adding User Account to Organization Management Role Group.
  • [For restore of In-Place Hold Items to the original location] If the In-Place Hold Items folder already exists, make sure the account being used can create, modify and delete items. If the In-Place Hold Items folder does not exist, the account being used must be able to create folders under the All Public Folders root node.

Restore to Mailbox Using Basic Authentication Method

  • If the account owns a mailbox, make sure it has Full Access.
  • If the account does not own a mailbox, then access must be granted through impersonation. See Granting Full Access.

Restore Using Modern Authentication Method

Microsoft Entra application uses a user account to log in to Microsoft 365. This user account must be assigned the following roles:

Keep in mind that the ApplicationImpersonation role for Exchange Online will be soon removed by Microsoft. For more information, see this Microsoft article. This role is required to restore Microsoft Exchange data using modern authentication with a one-time authentication code. The Microsoft Entra application must be granted permissions of the Delegated type for Exchange Online. For more information, see the Restore Using Device Code Flow section of the Veeam Backup for Microsoft 365 User Guide.

It is recommended that you use modern authentication with the Microsoft Entra application certificate to restore Microsoft Exchange data. The Microsoft Entra application must be granted permissions of the Application type for Exchange Online. For more information, see the Restore Using Application Certificate section of the Veeam Backup for Microsoft 365 User Guide.

Also make sure that the required settings are specified for the Microsoft Entra application used for restore. For more information, see the Configuring Microsoft Entra Application Settings section of the Veeam Backup for Microsoft 365 User Guide.

Compare Data with Production Environment

The Veeam Backup account must have a valid Exchange Online license and an active mailbox within the Microsoft 365 organization.

Examples

Adding User Account to Organization Management Role Group

To add user account to the Organization Management role group, use the following cmdlet:

Add-RoleGroupMember "Organization Management" –Member "<user_account>"

For more information about the Add-RoleGroupMember cmdlet, see this Microsoft article.

Granting Full Access

To grant Full Access to the account that owns a mailbox, use the following cmdlet:

Add-MailboxPermission –Identity "<target_mailbox>" -User "<user_account>" -AccessRights FullAccess –InheritanceType All

For more information about the Add-MailboxPermission cmdlet, see this Microsoft article.

To grant Full Access to the account that does not own a mailbox (in particular, through impersonation), use the following cmdlet:

New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>"

For more information about the New-ManagementRoleAssignment cmdlet, see this Microsoft article.

Recalling Given Permissions

To recall given access level, run one of the following cmdlets:

Remove-ManagementRoleAssignment "<role_name>"

 

Remove-ManagementRoleAssignment -Identity "<role_name>"

Page updated 12/5/2024

Page content applies to build 8.0.5.20