Be sure that you have the following permissions configured accordingly before start using Veeam Backup for Microsoft Office 365 application.
- By default, Veeam Backup for Microsoft Office 365 (Veeam Backup for Microsoft Office 365 Service) is running under the Local System account, having administrative rights on the local machine. If you want to grant access to any resources to that service, you should do that for the corresponding local computer account. Do not change this account for Veeam service.
- The account that is used to connect to the Exchange organization (on-premises or online) for mailbox data backup should belong to that organization. Having a mailbox in that organization is optional.
- This account should have the following Exchange roles:
- Organizations Management role – to manage role assignments
- Application Impersonation role
- View-Only Configuration role – to obtain the necessary organization configuration parameters
- View-Only Recipients role – to view the list of mailbox recipients (required for job creation)
To allow automated Application Impersonation role assignment, assign the Organization Management role to that account (Role Management role may be insufficient).
- This account should also have the Application Impersonation role. This role can be assigned using any of the following methods:
- Automatically (recommended), by selecting the corresponding option when adding Microsoft Exchange Online Organization to the solution scope.
- Manually, by using Exchange Management PowerShell cmdlets.
- By role assignment in Exchange Control Panel.
In case you have a new Exchange Online organization just created, you may need to use Exchange Control Panel or PowerShell cmdlet (Enable-OrganizationCustomization) to allow that role to perform any modifications and assignments. See the following Microsoft TechNet article for more information: https://technet.microsoft.com/en-us/library/jj200665(v=exchg.160).aspx.
- If you plan to use e-mail notifications on backup job results, mailbox address that will be used as a notification sender should be delegated the rights to connect to SMTP server. See Configuring Notification Settings.
- User account that will be used to connect to the Windows server where the backup proxy will run should have local Administrator rights for the backup proxy server. This can be the account currently logged in (default option), or another account specified using DOMAIN\username format. See Configuring Backup Proxies for details.
- To be able to connect to Veeam Backup for Microsoft Office 365 from Veeam Explorer for Exchange, user account (either under which Veeam Explorer for Exchange is being running, or different account) should have local administrative rights on the machine where Veeam Backup for Office 365 works. See also Adding Databases to the Scope Manually.
- Veeam Explorer for Microsoft Exchange can automatically resolve mailboxes (discover mailbox addresses for specified names) and filter out Exchange System Mailboxes when selecting mailboxes to restore. Therefore, the account under which Veeam Explorer runs should have sufficient rights for Active Directory access:
- This account can be included in the domain Administrators or Organization Management group.
- Alternatively, this account can be granted Read permission for the objectClass attribute of the Microsoft Exchange System Object container. Make sure to select the Apply these permissions to objects and/or containers within this container only option.
If Veeam Explorer for Exchange account is included in the Authenticated Users group but not granted this permission, it will not be able to properly handle Exchange system mailboxes objects restore. To prevent these issues, it is recommended to clear selection for such mailbox displayed at Step 2. Select Mailboxes to Restore. This will exclude system mailboxes from processing.
- The account that is used for restore to a public folder should own a mailbox on the target Microsoft Exchange server.
- To restore folder(s)/item(s) to the Microsoft Exchange Online Organization, the account you specify in the restore wizard will need sufficient access rights to the target. To restore to the on-premises Microsoft Exchange organization, the account you specify in the restore wizard will need corresponding access rights:
- If you plan to use the account that owns a mailbox on the target, make sure it has Full Access for that mailbox.
Full Access can be granted, for example, through impersonation, or through rights assignment with the following cmdlet:
Add-MailboxPermission –Identity “<target_mailbox>” -User “<user_account>” -AccessRights FullAccess –InheritanceType All
- If you plan to use the account that does not own a mailbox on the target (for example, a service account), then access rights for target mailbox should be granted through Exchange impersonation.
For example, you can run the following cmdlet:
New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>" [-CustomRecipientScope "<scope>"]
The following cmdlet shows how you can narrow the group of users who will be assigned the appropriate role to access the target mailbox at restore. For that, it uses the CustomRecipientScope parameter, with sample Organizational Unit specified as the scope:
New-ManagementRoleAssignment -Name "Exchange Test" -Role ApplicationImpersonation -User "Test User" -CustomRecipientScope "spain.local/TargetUsers"
Recalling Privileges Granted Through Impersonation
When finished working with Veeam Backup for Microsoft Office 365, you may want to recall the privileges assigned to the user through impersonation. For that, you can run the following cmdlet:
Remove-ManagementRoleAssignment -Name "<role_name>"