Microsoft Exchange Organizations

The following table lists the required roles and permissions that must be assigned to the Veeam Backup account that you want to use for working with Microsoft Exchange organizations. The table lists roles required by Veeam Backup for Microsoft 365 when you add Microsoft 365 organizations using modern authentication with legacy protocols allowed or basic authentication and on-premises Microsoft organizations.

Consider the following:

  • The account you are using to add an organization must be a member of this organization.
  • The account you are using to add an organization is not required to have a mailbox in such an organization.
  • If you are backing up public folder mailboxes, the Veeam Backup account must have a valid Exchange Online license and an active mailbox within the Microsoft 365 organization.

Note

For more information about permissions required to restore Microsoft Exchange data from backups created by Veeam Backup for Microsoft 365, see Required Permissions for Veeam Explorer for Microsoft Exchange.

 

Role

Description

Role Management

Required to grant the ApplicationImpersonation role.

ApplicationImpersonation

Required to back up Exchange data.

Organization Configuration

Required to manage role assignments.

View-Only Configuration

Required to obtain necessary configuration parameters.

View-Only Recipients

Required to view mailbox recipients.

Mailbox Search or Mail Recipients

Required to back up groups.

Owner

Required to back up/restore public folders.

Granting ApplicationImpersonation Role in PowerShell

For On-Premises Microsoft Exchange Organizations

To grant the ApplicationImpersonation role for on-premises Microsoft Exchange organizations, do the following:

  1. Connect to the Exchange server. For more information, see this Microsoft article.
  1. Run the following cmdlet to grant the role.

New-ManagementRoleAssignment –Role ApplicationImpersonation –User "Administrator"

For Microsoft 365 Exchange Organizations

To grant the ApplicationImpersonation role for Microsoft 365 Exchange organizations, do the following:

  1. Connect to the Exchange server:
  1. Run the following cmdlet to grant the role.

New-ManagementRoleAssignment –Role ApplicationImpersonation –User user.name@domain.com

To obtain the list of users whom the ApplicationImpersonation role has already been granted, use the following cmdlet (for both on-premises and Online organizations).

Get-ManagementRoleAssignment -Role "ApplicationImpersonation"

To remove the role, use the following cmdlet (for both on-premises and Online organizations).

Get-ManagementRoleAssignment -RoleAssignee "Administrator" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment

Creating and Configuring New Authentication Policy for Exchange Online Organizations

To protect your Microsoft 365 organization data properly when you add an organization using either modern authentication with legacy protocols allowed or basic authentication, you need to create a new authentication policy with the AllowBasicAuthPowershell and AllowBasicAuthWebService parameters enabled for the Veeam Backup account. To do this, use the following code snippet.

New-AuthenticationPolicy -Name "Allow Basic Auth"

Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthPowershell

Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthWebService

Set-User -Identity <VeeamBackupAccount> -AuthenticationPolicy "Allow Basic Auth"

To back up public folder mailboxes correctly, enable the AllowBasicAuthAutodiscover parameter for the created authentication policy by using the following cmdlet.

Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthAutodiscover