Continue with this section to learn how to configure user accounts.
In This Section
- Required Permissions for Veeam Backup for Microsoft Office 365
- Required Permissions for Microsoft SharePoint and OneDrive for Business Organizations
- Required Permissions for Microsoft Exchange Organizations
- Assigning ApplicationImpersonation Role via PowerShell
- Required Permissions for Microsoft Graph
- Required Permissions for Restore
Required Permissions for Veeam Backup for Microsoft Office 365
Veeam Backup for Microsoft Office 365 requires a Local System account for the following services:
- Veeam Backup for Microsoft Office 365 Service
- Veeam Backup Proxy for Microsoft Office 365 Service
|
The Local System account must not be changed. |
Required Permissions for Microsoft SharePoint and OneDrive for Business Organizations
The account you are using to connect to Microsoft SharePoint organizations (on-premises or Online) must belong to that organization and must conform to the following:
- For on-premises Microsoft SharePoint organizations.
The account being used must be a member of the Farm Administrator group and must have the Site Collection Administrator role. This role can be assigned either automatically, when adding a new organization with SharePoint services, or manually, as described in Microsoft Organizations Management.
- For Microsoft SharePoint Online organizations.
The account being used must have either the Global Administrator role or SharePoint Administrator role.
|
The addition of Microsoft SharePoint Online organizations requires both the view-only configuration and view-only recipients roles to be assigned to the account. |
Assigning SharePoint Service Administrator role in PowerShell
To assign the SharePoint Service Administrator role using PowerShell (for Microsoft SharePoint Online organizations), use the following code snippet.
Connect-MsolService $role=Get-MsolRole -RoleName "SharePoint Service Administrator" $accountname=example@domain.com Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name |
The MSOL module can be downloaded from this Microsoft page.
The $accountname variable must be a user's UPN (e.g. example@domain.com).
Required Permissions for Microsoft Exchange Organizations
The account you are using to connect to Microsoft Exchange organizations (on-premises or Online) must belong to that organization; having a mailbox in such an organization is optional.
This account must have the following Exchange roles assigned:
- The Role Management role. To grant ApplicationImpersonation role.
- The ApplicationImpersonation role. To assign the role, make sure the account being used is a member of the Organization Management group and has been granted the Role Management role upfront.
The role can be assigned by using any of the following methods:
- Automatically, when adding organizations with Exchange data.
- Manually, by using Exchange Management PowerShell cmdlets.
- Via the Microsoft Exchange control panel. For more information, see this Microsoft article.
- The Organization Configuration role. To manage role assignments.
- The View-Only Configuration role. To obtain necessary configuration parameters.
- The View-Only Recipients role. To view mailbox recipients (required for backup job creation).
- Mailbox Search or Mail Recipients roles. To back up groups.
Assigning ApplicationImpersonation Role via PowerShell
For On-Premises Microsoft Exchange Organizations
To assign the ApplicationImpersonation role for on-premises Microsoft Exchange organizations, do the following:
- Connect to the Exchange server, as described in this Microsoft article.
- Run the following cmdlet to grant the role.
New-ManagementRoleAssignment –Role ApplicationImpersonation –User "Administrator" |
For Microsoft Office 365 Exchange Organizations
To assign the ApplicationImpersonation role for Microsoft Office 365 Exchange organizations, do the following:
- Connect to the Exchange server:
- For Basic Authentication, see this Microsoft article.
- For Modern Authentication, see this Microsoft article.
- Run the following cmdlet to grant the role.
New-ManagementRoleAssignment –Role ApplicationImpersonation –User user.name@domain.com |
To obtain the list of users whom the ApplicationImpersonation role has already been granted, use the following cmdlet (for both on-premises and Online organizations).
Get-ManagementRoleAssignment -Role "ApplicationImpersonation" |
To remove the role, use the following cmdlet (for both on-premises and Online organizations).
Get-ManagementRoleAssignment -RoleAssignee "Administrator" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment |
Required Permissions for Microsoft Graph
For more information, see Understanding Microsoft Graph.
Required Permissions for Restore
For more information about how to configure user accounts to restore data, see:
- Required Permissions in Veeam Explorer for Microsoft Exchange
- Required Permissions in Veeam Explorer for Microsoft SharePoint
