This section describes permissions required for solution operation:
- By default, Veeam Backup for Microsoft Office 365 (Veeam Backup for Microsoft Office 365 Service) runs under Local System account, having administrative rights on the local machine. If you want to grant access to any resources to that service, you should do that for the corresponding local computer account. Do not change this account for Veeam service.
- The account used to connect to the Exchange organization (on-premises or online) for mailbox data backup should belong to that organization; having a mailbox in that organization is optional.
- This account should have the following Exchange roles:
- Organizations Management role – to manage role assignments
- Application Impersonation role
- View-Only Configuration role – to obtain the necessary organization configuration parameters
- View-Only Recipients role – to view the list of mailbox recipients (required for job creation)
To allow for automated Application Impersonation role assignment, assign the Organization Management role to that account (Role Management role may be insufficient).
- This account should also have the Application Impersonation role. This role can be assigned using any of the following methods:
- Automatically (recommended), by selecting the corresponding option when adding Microsoft Exchange Online Organization to the solution scope.
- Manually, by using Exchange Management PowerShell cmdlets.
- By role assignment in Exchange Control Panel.
In case you have a new Exchange Online organization just created, you may need to use Exchange Control Panel or PowerShell cmdlet (Enable-OrganizationCustomization) to allow for role modifications and assignments. See the following Microsoft TechNet article for more information: https://technet.microsoft.com/en-us/library/jj200665(v=exchg.160).aspx.
- If you plan to use e-mail notifications on backup job results, mailbox address that will be used as notification sender should be delegated the rights to connect to SMTP server. See the E-mail Settings for Notifications for details.
- User account that will be used to connect to the Windows server where the backup proxy will run should have local Administrator rights for the backup proxy server. This can be the account currently logged in (default option), or another account specified using DOMAIN\username format. See Configuring Backup Proxies for details.
- To be able to connect to Veeam Backup for Microsoft Office 365 from Veeam Explorer for Exchange, user account (either under which Veeam Explorer runs, or different account) should have local administrative rights on the machine where Veeam Backup for Office 365 works. See also Adding Databases to the Scope Manually.
- Veeam Explorer for Microsoft Exchange can automatically resolve mailboxes (discover mailbox addresses for specified names) and filter out Exchange System Mailboxes when selecting mailboxes to restore. Therefore, the account under which Veeam Explorer runs should have sufficient rights for Active Directory access:
- This account can be included in the domain Administrators or Organization Management group.
- Alternatively, this account can be granted Read permission for the objectClass attribute of the Microsoft Exchange System Object container. Make sure to select the Apply these permissions to objects and/or containers within this container only option.
If Veeam Explorer account is included in the Authenticated Users group but is not granted this permission, it will not be able to properly handle Exchange system mailboxes objects restore. To prevent these issues, it is recommended to clear selection for such mailbox displayed at Step 2. Select Mailboxes to Restore. This will exclude system mailboxes from processing.
- The account that is used for restore to a public folder should own a mailbox on the target Microsoft Exchange server.
- To restore folder(s)/item(s) to the Microsoft Exchange Online Organization, the account you specify in the restore wizard will need sufficient access rights to the target. To restore to the on-premises Microsoft Exchange organization, the account you specify in the restore wizard will need corresponding access rights:
- If you plan to use the account that owns a mailbox on target, make sure it has Full Access for that mailbox.
Full Access can be granted, for example, through impersonation, or through rights assignment with the following cmdlet:
Add-MailboxPermission –Identity “<target_mailbox>” -User “<user_account>” -AccessRights FullAccess –InheritanceType All
- If you plan to use the account that does not own a mailbox on target (for example, a service account), then access rights for target mailbox should be granted through Exchange impersonation.
For example, you can run the following cmdlet:
New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>" [-CustomRecipientScope "<scope>"]
The following cmdlet shows how you can narrow the group of users who will be assigned the appropriate role to access the target mailbox at restore. For that, it uses the CustomRecipientScope parameter, with sample Organizational Unit specified as the scope:
New-ManagementRoleAssignment -Name "Exchange Test" -Role ApplicationImpersonation -User "Test User" -CustomRecipientScope "spain.local/TargetUsers"
For more details on impersonation, please refer to MSDN (http://msdn.microsoft.com/en-us/library/bb204095.aspx) and to Veeam Explorers User Guide at https://www.veeam.com/documentation-guides-datasheets.html.
Recalling Privileges Granted Through Impersonation
When finished working with Veeam Backup for Microsoft Office 365, you may want to recall the privileges assigned to the user through impersonation. For that, you can run the following cmdlet:
Remove-ManagementRoleAssignment -Name "<role_name>"