Permissions Changelog

This section contains information about changes in permissions required for Veeam Backup for Microsoft 365 7.0 comparing to version 6.0.

Azure AD Application Permissions

The following table lists changes in permissions for modern app-only authentication:

API	Permission name	Type	Usage	Description	Status
Microsoft Graph	Directory.ReadWrite.All	Application	Restore	Setting the preferred data location when creating a new M365 group for a multi-geo tenant in case of teams restore.	new
Office 365 Exchange Online	Exchange.ManageAsApp	Application	Backup	Accessing Exchange Online PowerShell. Note: This permission is required only to back up public folder and discovery search mailboxes as well as determine correctly object type for shared mailboxes starting from Veeam Backup for Microsoft 365 version 7 CP4 (build 7.0.0.3968). This permission works along with the Global Reader role granted to the Azure AD application. For more information, see Permissions for Backup and Granting Global Reader Role to Azure AD Application.	new

API

Permission name

Type

Usage

Description

Status

Microsoft Graph

Directory.ReadWrite.All

Application

Restore

Setting the preferred data location when creating a new M365 group for a multi-geo tenant in case of teams restore.

new

Office 365 Exchange Online

Exchange.ManageAsApp

Application

Backup

Accessing Exchange Online PowerShell.

Note: This permission is required only to back up public folder and discovery search mailboxes as well as determine correctly object type for shared mailboxes starting from Veeam Backup for Microsoft 365 version 7 CP4 (build 7.0.0.3968). This permission works along with the Global Reader role granted to the Azure AD application. For more information, see Permissions for Backup and Granting Global Reader Role to Azure AD Application.

new

Azure Blob Storage and Azure Blob Storage Archive

If you want to use the Azure archiver appliance when Veeam Backup for Microsoft 365 copies backed-up data between different instances of Azure Blob Storage or to Azure Blob Storage Archive, you must assign the required roles to a user account that you use to create Azure AD application for the Microsoft Azure service account.

The changes are:

A user account must have the Application Administrator role instead of Global Administrator.
Minimal required permissions for a custom Azure AD application are added.

For more information, see Permissions for Azure Archiver Appliance.

If you want to store Microsoft 365 and on-premises Microsoft organization backups and backup copies in Azure Blob Storage and Azure Blob Storage Archive, you must grant permissions to a user account that you use to access this object storage. For more information, see Azure Blob Storage Permissions.

Amazon S3 Object Storage

If you want to store Microsoft 365 and on-premises Microsoft organization backups and backup copies in Amazon S3 object storage, you must grant permissions for each Amazon S3 object storage and allow a user account access to Amazon buckets and folders. For more information, see Supported Amazon S3 Storage Classes and Amazon S3 Storage Permissions.