Continue with this section to learn how to configure user accounts.
In This Section
- Required Permissions for Veeam Backup for Microsoft Office 365
- Required Permissions for Microsoft SharePoint and OneDrive for Business Organizations
- Required Permissions for Microsoft Exchange Organizations
- Assigning ApplicationImpersonation Role via PowerShell
- Required Permissions for Microsoft Graph
- Required Permissions for Restore
Veeam Backup for Microsoft Office 365 requires a Local System account for the following services:
- Veeam Backup for Microsoft Office 365 Service
- Veeam Backup Proxy for Microsoft Office 365 Service
The Local System account must not be changed.
The account you are using to connect to Microsoft SharePoint organizations (on-premises or Online) must belong to that organization and must conform to the following:
- For on-premises Microsoft SharePoint organizations.
The account being used must be a member of the Farm Administrator group and must have the Site Collection Administrator role. This role can be assigned either automatically, when adding a new organization with SharePoint services, or manually, as described in Microsoft Organizations Management.
- For Microsoft SharePoint Online organizations.
The account being used must have either the Global Administrator role or SharePoint Administrator role.
The addition of Microsoft SharePoint Online organizations requires both the view-only configuration and view-only recipients roles to be assigned to the account.
Assigning SharePoint Service Administrator role in PowerShell
To assign the SharePoint Service Administrator role using PowerShell (for Microsoft SharePoint Online organizations), use the following code snippet.
$role=Get-MsolRole -RoleName "SharePoint Service Administrator"
Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name
The MSOL module can be downloaded from this Microsoft page.
The $accountname variable must be a user's UPN (e.g. firstname.lastname@example.org).
The account you are using to connect to Microsoft Exchange organizations (on-premises or Online) must belong to that organization; having a mailbox in such an organization is optional.
This account must have the following Exchange roles assigned:
- The Role Management role. To grant ApplicationImpersonation role.
- The ApplicationImpersonation role. To assign the role, make sure the account being used is a member of the Organization Management group and has been granted the Role Management role upfront.
The role can be assigned by using any of the following methods:
- Automatically, when adding organizations with Exchange data.
- Manually, by using Exchange Management PowerShell cmdlets.
- Via the Microsoft Exchange control panel. For more information, see this Microsoft article.
- The Organization Configuration role. To manage role assignments.
- The View-Only Configuration role. To obtain necessary configuration parameters.
- The View-Only Recipients role. To view mailbox recipients (required for backup job creation).
- Mailbox Search or Mail Recipients roles. To back up groups.
For On-Premises Microsoft Exchange Organizations
To assign the ApplicationImpersonation role for on-premises Microsoft Exchange organizations, do the following:
- Connect to the Exchange server, as described in this Microsoft article.
- Run the following cmdlet to grant the role.
New-ManagementRoleAssignment –Role ApplicationImpersonation –User "Administrator"
For Microsoft Office 365 Exchange Organizations
To assign the ApplicationImpersonation role for Microsoft Office 365 Exchange organizations, do the following:
- Connect to the Exchange server:
- For Basic Authentication, see this Microsoft article.
- For Modern Authentication, see this Microsoft article.
- Run the following cmdlet to grant the role.
New-ManagementRoleAssignment –Role ApplicationImpersonation –User email@example.com
To obtain the list of users whom the ApplicationImpersonation role has already been granted, use the following cmdlet (for both on-premises and Online organizations).
Get-ManagementRoleAssignment -Role "ApplicationImpersonation"
To remove the role, use the following cmdlet (for both on-premises and Online organizations).
Get-ManagementRoleAssignment -RoleAssignee "Administrator" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment
For more information, see Understanding Microsoft Graph.
For more information about how to configure user accounts to restore data, see:
- Required Permissions in Veeam Explorer for Microsoft Exchange
- Required Permissions in Veeam Explorer for Microsoft SharePoint