Help Center
Choose product document...
Veeam Backup for Microsoft Office 365 2.0
User Guide

Required Permissions

This section describes required permissions for user accounts that are going to be used to back up and recover your data.

For Backup

Required Permissions for Veeam Backup for Microsoft Office 365

By default, Veeam Backup for Microsoft Office 365 (Veeam Backup for Microsoft Office 365 Service) uses the Local System account. This account has administrative rights on the local machine and should not be changed for Veeam services.

Required Permissions for SharePoint Organizations

The account that is used to connect to Microsoft SharePoint organizations (On-Premises or Online) must belong to that organization and must conform to the following:

The account must be a member of the Farm Administrator group and must have the Site Collection Administrator role. This role can be assigned either automatically, when adding a new SharePoint organization, or manually. For more information on adding new organizations, see Adding Microsoft Organizations.

  • For SharePoint Online.

The account must have either the Global Administrator role, or the SharePoint Administrator role.

If you prefer to use PowerShell to assign the SharePoint Administrator role for SharePoint Online organizations, you can use the following code snippet.

Connect-MsolService

$role=Get-MsolRole -RoleName "SharePoint Service Administrator"

$accountname=UPN

Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name

The MSOL module can be downloaded here.

The $accountname parameter must be a user's UPN (for example, user.name@domain.com).

Required Permissions for Exchange Organizations

The account that is used to connect to Microsoft Exchange organizations (On-Premises or Online) must belong to that organization. Having a mailbox in that organization is optional.

This account must have the following Exchange roles:

  • Role Management role. To grant ApplicationImpersonation role.
  • ApplicationImpersonation role. To allow this role assignment, the account must be granted the Organization Management permission.
  • Organizations Configuration role. To manage role assignments.
  • View-Only Configuration role. To obtain the necessary organization configuration parameters.
  • View-Only Recipients role. To view mailbox recipients (required for job creation).
  • MailboxSearch or MailRecipients. To backup groups.

The ApplicationImpersonation role can be assigned by using any of the following methods:

  • Automatically, when adding Exchange organizations.
  • Manually, by using Exchange Management PowerShell cmdlets.
  • Using the Microsoft Exchange control panel.

If you plan to use email notifications on backup job results, the mailbox address that will be used as a notification sender must be delegated the rights to connect to the SMTP server. See Configuring Notification Settings.

Required Permissions Note:

If you have created a new Exchange online organization, you may need to use the Exchange control panel or PowerShell cmdlet (Enable-OrganizationCustomization) to allow the ApplicationImpersonation role to perform any modifications and assignments. For more information, see this Microsoft article.

Assigning ApplicationImpersonation Role via PowerShell

For Microsoft On-Premises Organizations

To assign the ApplicationImpersonation role for On-Premises organizations using PowerShell, do the following:

  1. Connect to the Exchange server.

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchangeServerName/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session

  1. Use the following cmdlet to grant the role.

New-ManagementRoleAssignment –Role ApplicationImpersonation –User "Administrator"

For Microsoft Online Organizations

To assign the ApplicationImpersonation role for Online organizations using PowerShell, do the following:

  1. Connect to the Exchange server.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri

https://outlook.office365.com/powershell-liveid/ -Credential $Credential  -Authentication Basic -AllowRedirection

Import-PSSession $Session

To obtain the list of users whom the ApplicationImpersonation role has already been granted, use the following cmdlet (for both On-Premises and Online organizations).

Get-ManagementRoleAssignment -Role "ApplicationImpersonation"

To remove the role, use the following cmdlet (for both On-Premises and Online organizations).

Get-ManagementRoleAssignment -RoleAssignee "Administrator" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment

For Restore

If the Read permission was not granted for the account that is a member of the Authenticated users group, Veeam Explorer will not be able to recover Exchange system mailbox objects. It is recommended to avoid processing such mailboxes by deselecting them in the backup job wizard.

Add-MailboxPermission –Identity “<target_mailbox>” -User “<user_account>” -AccessRights FullAccess –InheritanceType All

New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>" [-CustomRecipientScope "<scope>"]

The following cmdlet demonstrates how to narrow the group of users whom will be assigned appropriate roles to access the target mailbox. The CustomRecipientScope parameter is used with sample Organizational Unit specified as the scope:

New-ManagementRoleAssignment -Name "Exchange Test" -Role ApplicationImpersonation -User "Test User" -CustomRecipientScope "spain.local/TargetUsers"

Recalling Privileges Granted Through Impersonation

When finished working with Veeam Backup for Microsoft Office 365, you may want to recall the privileges assigned to the user through impersonation. For that, run the following cmdlet:

Remove-ManagementRoleAssignment -Name "<role_name>"

Veeam Large Logo

User Guide

RESTful API Reference

PowerShell Reference