Understanding Microsoft Graph
To access Azure Active Directory resources and retrieve information about your Microsoft Office 365 organizations, Veeam utilizes Microsoft Graph API. For more information about Microsoft Graph, see this Microsoft article.
To connect to Microsoft Graph, Veeam uses three different approaches involving three different application types:
To be used when selecting the Basic authentication option at the Specify Connection Settings step.
To be used when selecting the Basic authentication option at the Specify Connection Settings step for China and Germany regions.
To be used when selecting the Modern authentication option at the Specify Connection Settings step for organizations with enabled Multi-factor authentication (MFA).
Using Default Microsoft Application
The default application is installed by default by Microsoft and allows Veeam to connect to Microsoft Office 365 organizations that belong to any Microsoft Azure region except for China or Germany regions.
Using Veeam Backup for Microsoft Office 365 Application
To connect to Microsoft Office 365 organizations that belong to China or Germany regions, Veeam uses the proprietary application — Veeam Backup for Microsoft Office 365.
This application is installed automatically after you select the Basic authentication checkbox at the Specify Connection Settings step of the Add Organization wizard and provides Veeam with the appropriate permission set to work with your Microsoft Office 365 organizations data.
To install the application, Veeam requires either of the following roles to be assigned to your Microsoft Office 365 account:
- Application administrator
- Cloud application administrator
For more information on how to assign these roles, see this Microsoft article.
If your Microsoft Office 365 organizations use Multi-factor authentication (MFA), you must create a custom application in your Azure Active Directory portal in advance. Such an application will be utilized by Veeam to access Microsoft Graph API and retrieve your Microsoft Office 365 organizations data.
The following mandatory API access and permissions must be granted to the application:
- Microsoft Graph API access with the following minimum required permissions:
- Read all groups
- Read directory data
- Microsoft Exchange Online API access (only required when using a certificate at the Specify Credentials step) with the following minimum required permissions:
- Use Exchange Web Services with full access to all mailboxes
- Microsoft SharePoint Online API access (only required when using a certificate at the Specify Credentials step) with the following minimum required permissions:
- Have full control of all site collections
- Read user profiles
See the following Microsoft documentation to learn more:
- For more information about Mult-factor authentication, see this Microsoft article.
- For more information on how to create a custom application, see this Microsoft article.
- For more information on how to configure API access and assign appropriate permissions, see this Microsoft article.