This section describes required permissions for user accounts that are going to be used to back up and recover your data.
Required Permissions for Veeam Backup for Microsoft Office 365
By default, Veeam Backup for Microsoft Office 365 (Veeam Backup for Microsoft Office 365 Service) uses the Local System account. This account has administrative rights on the local machine and should not be changed for Veeam services.
Required Permissions for SharePoint Organizations
The account that is used to connect to Microsoft SharePoint organizations (On-Premises or Online) must belong to that organization and must conform to the following:
- For SharePoint On-Premises.
The account must be a member of the Farm Administrator group and must have the Site Collection Administrator role. This role can be assigned either automatically, when adding a new SharePoint organization, or manually. For more information on adding new organizations, see Adding Microsoft Organizations.
- For SharePoint Online.
The account must have either the Global Administrator role, or the SharePoint Administrator role.
If you prefer to use PowerShell to assign the SharePoint Administrator role for SharePoint Online organizations, you can use the following code snippet.
$role=Get-MsolRole -RoleName "SharePoint Service Administrator"
Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name
The MSOL module can be downloaded here.
The $accountname parameter must be a user's UPN (for example, firstname.lastname@example.org).
Required Permissions for Exchange Organizations
The account that is used to connect to Microsoft Exchange organizations (On-Premises or Online) must belong to that organization. Having a mailbox in that organization is optional.
This account must have the following Exchange roles:
- Role Management role. To grant ApplicationImpersonation role.
- ApplicationImpersonation role. To allow this role assignment, the account must be granted the Organization Management permission.
- Organizations Configuration role. To manage role assignments.
- View-Only Configuration role. To obtain the necessary organization configuration parameters.
- View-Only Recipients role. To view mailbox recipients (required for job creation).
- MailboxSearch or MailRecipients. To backup groups.
The ApplicationImpersonation role can be assigned by using any of the following methods:
- Automatically, when adding Exchange organizations.
- Manually, by using Exchange Management PowerShell cmdlets.
- Using the Microsoft Exchange control panel.
If you plan to use email notifications on backup job results, the mailbox address that will be used as a notification sender must be delegated the rights to connect to the SMTP server. See Configuring Notification Settings.
If you have created a new Exchange online organization, you may need to use the Exchange control panel or PowerShell cmdlet (Enable-OrganizationCustomization) to allow the ApplicationImpersonation role to perform any modifications and assignments. For more information, see this Microsoft article.
For Microsoft On-Premises Organizations
To assign the ApplicationImpersonation role for On-Premises organizations using PowerShell, do the following:
- Connect to the Exchange server.
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchangeServerName/PowerShell/ -Authentication Kerberos -Credential $UserCredential
- Use the following cmdlet to grant the role.
New-ManagementRoleAssignment –Role ApplicationImpersonation –User "Administrator"
For Microsoft Online Organizations
To assign the ApplicationImpersonation role for Online organizations using PowerShell, do the following:
- Connect to the Exchange server.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
To obtain the list of users whom the ApplicationImpersonation role has already been granted, use the following cmdlet (for both On-Premises and Online organizations).
Get-ManagementRoleAssignment -Role "ApplicationImpersonation"
To remove the role, use the following cmdlet (for both On-Premises and Online organizations).
Get-ManagementRoleAssignment -RoleAssignee "Administrator" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment
- To be able to connect to the Veeam Backup for Microsoft Office 365 server from Veeam Explorers, you must use the account that belongs to the local Administrator group.
- To automatically resolve mailboxes in Veeam Explorer for Microsoft Exchange and filter out Exchange System Mailboxes, you must configure your account according to the following:
- This account can be included in the domain Administrators or Organization Management group.
- This account can be granted Read permission for the objectClass attribute of the Microsoft Exchange System Object container. Make sure to select the Apply these permissions to objects and/or containers within this container only option.
If the Read permission was not granted for the account that is a member of the Authenticated users group, Veeam Explorer will not be able to recover Exchange system mailbox objects. It is recommended to avoid processing such mailboxes by deselecting them in the backup job wizard.
- The account you are using for restoring data to a public folder should own a mailbox on the target Microsoft Exchange server.
- To restore folders/items back to Exchange Online organizations, the account you specify in the restore wizard requires sufficient permissions to access the target production server. To restore to the on-premises Microsoft Exchange organization, the account you specify in the restore wizard will need the corresponding access rights:
- If you plan to use the account that owns a mailbox on target, make sure it has Full Access.
Full Access can be granted, for example, through impersonation or via rights assignment with the following cmdlet:
Add-MailboxPermission –Identity “<target_mailbox>” -User “<user_account>” -AccessRights FullAccess –InheritanceType All
- If you plan to use the account that does not own a mailbox on the target server (for example, a service account), then access rights for the target mailbox should be granted through Exchange impersonation. For example, you can run the following cmdlet:
New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>" [-CustomRecipientScope "<scope>"]
The following cmdlet demonstrates how to narrow the group of users whom will be assigned appropriate roles to access the target mailbox. The CustomRecipientScope parameter is used with sample Organizational Unit specified as the scope:
New-ManagementRoleAssignment -Name "Exchange Test" -Role ApplicationImpersonation -User "Test User" -CustomRecipientScope "spain.local/TargetUsers"
Recalling Privileges Granted Through Impersonation
When finished working with Veeam Backup for Microsoft Office 365, you may want to recall the privileges assigned to the user through impersonation. For that, run the following cmdlet:
Remove-ManagementRoleAssignment -Name "<role_name>"