Help Center
Choose product document...
Veeam Backup for Microsoft Office 365
User Guide

Required Permissions

Be sure that you have the following permissions configured accordingly before you start using Veeam Backup for Microsoft Office 365.

For Backup

Required Permissions for Veeam Backup for Microsoft Office 365

By default, Veeam Backup for Microsoft Office 365 (Veeam Backup for Microsoft Office 365 Service) is running under the Local System account. This account has administrative rights on the local machine. Do not change this account for the Veeam service.

Required Permissions for Exchange Organizations

The account that is used to connect to Exchange organizations (on-premises or online) should belong to that organization. Having a mailbox in that organization is optional. This account should have the following Exchange roles:

The ApplicationImpersonation role can be assigned by using any of the following methods:

If you plan to use email notifications on backup job results, the mailbox address that will be used as a notification sender should be delegated the rights to connect to the SMTP server. See Configuring Notification Settings.

Required Permissions Note:

If you have created a new Exchange online organization, you may need to use the Exchange control panel or PowerShell cmdlet (Enable-OrganizationCustomization) to allow the ApplicationImpersonation role to perform any modifications and assignments. For more information, see this Microsoft article.

Assigning the ApplicationImpersonation Role via PowerShell

To assign the ApplicationImpersonation role using PowerShell, do the following:

  1. Connect to the Exchange server.

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchangeServerName/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session

  1. Use the following cmdlet to grant the role.

New-ManagementRoleAssignment –Role ApplicationImpersonation –User "Administrator"

To obtain the list of users whom the ApplicationImpersonation role has already been granted, use the following cmdlet.

Get-ManagementRoleAssignment -Role "ApplicationImpersonation"

To remove the role, use the following cmdlet.

Get-ManagementRoleAssignment -RoleAssignee "Administrator" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment

For Restore

If the Read permission was not granted for the account that is a member of the Authenticated users group, Veeam Explorer will not be able to recover Exchange system mailbox objects. It is recommended to avoid processing such mailboxes by deselecting them in the backup job wizard.

Add-MailboxPermission –Identity “<target_mailbox>” -User “<user_account>” -AccessRights FullAccess –InheritanceType All

New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>" [-CustomRecipientScope "<scope>"]

The following cmdlet demonstrates how to narrow the group of users whom will be assigned appropriate roles to access the target mailbox. The CustomRecipientScope parameter is used with sample Organizational Unit specified as the scope:

New-ManagementRoleAssignment -Name "Exchange Test" -Role ApplicationImpersonation -User "Test User" -CustomRecipientScope "spain.local/TargetUsers"

Recalling Privileges Granted Through Impersonation

When finished working with Veeam Backup for Microsoft Office 365, you may want to recall the privileges assigned to the user through impersonation. For that, run the following cmdlet:

Remove-ManagementRoleAssignment -Name "<role_name>"

Veeam Large Logo

User Guide

RESTful API Reference

PowerShell Reference