Permissions

Microsoft Organizations

Veeam Backup for Microsoft 365 uses Veeam Backup account and Azure AD application to establish and maintain connection between Veeam Backup for Microsoft 365 and Microsoft 365 organizations or on-premises Microsoft organizations and perform backup and restore of the organization data.

Note

Microsoft has recently renamed Azure Active Directory to Microsoft Entra ID and Azure AD applications to Microsoft Entra applications. However, these entities are still referred to as Azure Active Directory and Azure AD applications both in this guide and the Veeam Backup for Microsoft 365 user interface, and are subject to change in a future release. For more information, see this Microsoft article.

What the product requires depends on a Microsoft organization type and an authentication method used to add a Microsoft 365 organization. The following options are available:

  • For on-premises Microsoft organizations, Veeam Backup for Microsoft 365 uses only Veeam Backup account.
  • For Microsoft 365 organizations, it depends on an authentication method that you use when adding a particular Microsoft 365 organization.

Depending on configuration of Microsoft 365 organizations and the restrictions on using legacy authentication protocols, you can add organizations using either modern app-only authentication, or modern authentication method with legacy protocols allowed, or basic authentication method.

Consider the following:

  • When you add a Microsoft 365 organization using the modern app-only authentication method, Veeam Backup for Microsoft 365 uses only Azure AD application.
  • When you add a Microsoft 365 organization using modern authentication method with legacy protocols allowed, Veeam Backup for Microsoft 365 uses both Veeam Backup account and Azure AD application. The product requires MFA-enabled Microsoft 365 user account as Veeam Backup account.
  • When you add a Microsoft 365 organization using basic authentication, Veeam Backup for Microsoft 365 uses only Veeam Backup account.

Depending on authentication methods you use, you must grant permissions to Veeam Backup account or Azure AD application, or both entities. For more information, see Veeam Backup Account Permissions and Azure AD Application Permissions.

Restore Portal

If you allow users to perform self-service restore using Restore Portal, you must grant permissions to an Azure AD application to ensure users authentication to the portal with their Microsoft 365 user account credentials. For more information, see Permissions for Authentication to Restore Portal.

Azure Archiver Appliance

If you want to use the Azure archiver appliance when Veeam Backup for Microsoft 365 copies backed-up data between different instances of Azure Blob Storage or to Azure Blob Storage Archive, you must assign the required roles to a user account that you use to create an Azure AD application for the Microsoft Azure service account. For more information, see Permissions for Azure Archiver Appliance.

Amazon S3 Storage

If you want to store Microsoft 365 and on-premises Microsoft organization backups and backup copies in Amazon S3 object storage, you must grant permissions for each Amazon S3 object storage and allow a user account access to Amazon buckets and folders. For more information, see Amazon S3 Storage Permissions.

Azure Blob Storage and Azure Blob Storage Archive

If you want to store Microsoft 365 and on-premises Microsoft organization backups and backup copies in Azure Blob Storage and Azure Blob Storage Archive, you must grant permissions to a user account that you use to access this object storage. For more information, see Azure Blob Storage Permissions.

In This Section