Help Center
Choose product document...
Veeam Backup for Microsoft Office 365 3.0
User Guide

Required Permissions

Continue with this section to learn how to configure user accounts.

In This Section

Required Permissions for Veeam Backup for Microsoft Office 365

Veeam Backup for Microsoft Office 365 (Veeam Backup for Microsoft Office 365 Service) uses the Local System account. This account must not be changed for any of the Veeam services.

Required Permissions for Microsoft SharePoint and OneDrive for Business Organizations

The account you are using to connect to Microsoft SharePoint organizations (on-premises or Online) must belong to that organization and must conform to the following:

The account being used must be a member of the Farm Administrator group and must have the Site Collection Administrator role. This role can be assigned either automatically, when adding a new organization with SharePoint services, or manually, as described in Microsoft Organizations Management.

  • For Microsoft SharePoint Online organizations.

The account being used must have either the Global Administrator role or SharePoint Administrator role.

To assign the SharePoint Administrator role using PowerShell (for SharePoint Online organizations), use the following code snippet.

Connect-MsolService

$role=Get-MsolRole -RoleName "SharePoint Service Administrator"

$accountname=example@domain.com

Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name

The MSOL module can be downloaded from this Microsoft page.

The $accountname variable must be a user's UPN (e.g. example@domain.com).

Required Permissions for Microsoft Exchange Organizations

The account you are using to connect to Microsoft Exchange organizations (on-premises or Online) must belong to that organization; having a mailbox in such an organization is optional.

This account must have the following Exchange roles assigned:

The role can be assigned by using any of the following methods:

  • The Organization Configuration role. To manage role assignments.
  • The View-Only Configuration role. To obtain necessary configuration parameters.
  • The View-Only Recipients role. To view mailbox recipients (required for backup job creation).
  • Mailbox Search or Mail Recipients roles. To back up groups.

Assigning ApplicationImpersonation Role via PowerShell

For On-Premises Microsoft Exchange Organizations

To assign the ApplicationImpersonation role for on-premises Microsoft Exchange organizations, do the following:

  1. Connect to the Exchange server, as described in this Microsoft article.
  1. Run the following cmdlet to grant the role.

New-ManagementRoleAssignment –Role ApplicationImpersonation –User "Administrator"

For Microsoft Office 365 Exchange Organizations

To assign the ApplicationImpersonation role for Microsoft Office 365 Exchange organizations, do the following:

  1. Connect to the Exchange server:
  1. Run the following cmdlet to grant the role.

New-ManagementRoleAssignment –Role ApplicationImpersonation –User user.name@domain.com

To obtain the list of users whom the ApplicationImpersonation role has already been granted, use the following cmdlet (for both on-premises and Online organizations).

Get-ManagementRoleAssignment -Role "ApplicationImpersonation"

To remove the role, use the following cmdlet (for both on-premises and Online organizations).

Get-ManagementRoleAssignment -RoleAssignee "Administrator" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment

Required Permissions for Microsoft Graph

For more information, see Understanding Microsoft Graph.

Required Permissions for Restore

For more information about how to configure user accounts to restore data, see:

Veeam Large Logo

User Guide

RESTful API Reference

PowerShell Reference