Required Permissions

In this article

    Microsoft Organizations

    To protect your data using Veeam Backup for Microsoft 365, you use Veeam Backup account and Azure AD application. Depending on configuration of Microsoft 365 organizations and the restrictions on using legacy authentication protocols, you can add organizations using either modern app-only authentication, or modern authentication method with legacy protocols allowed, or basic authentication.  

    When you add Microsoft 365 organization using the modern app-only authentication method, you use only Azure AD application to establish and maintain connection between Veeam Backup for Microsoft 365 and Microsoft 365 organizations and perform a backup and restore from/to such organizations.

    When you add Microsoft 365 organization using modern authentication with legacy protocols allowed, you use both Veeam Backup account and Azure AD application to establish and maintain connection between Veeam Backup for Microsoft 365 and Microsoft 365 organizations and perform a backup and restore from/to such organizations. You use MFA-enabled Microsoft 365 user account as Veeam Backup account.

    When you add Microsoft 365 organization using basic authentication or an on-premises Microsoft organization, you use Veeam Backup account to establish and maintain connection between Veeam Backup for Microsoft 365 and such organizations and perform a backup and restore.  

    Depending on authentication methods you use, you must grant permissions to Veeam Backup account or Azure AD application, or both accounts.

    Restore Portal

    If you allow users to perform self-service restore using Restore Portal, you must grant permissions to Azure AD application to ensure users authentication to the portal with their Microsoft 365 user account credentials. For more information, see Permissions for Authentication to Restore Portal.

    Azure Archiver Appliance

    If you want to use the Azure archiver appliance when Veeam Backup for Microsoft 365 copies backed-up data from Azure Blob storage to Azure Archive storage, you must assign the required roles to a user account that you use to create Azure AD application for the Microsoft Azure service account. For more information, see Permissions for Azure Archiver Appliance.

    Amazon S3 Storage

    If you store Microsoft 365 and on-premises Microsoft organization backups in Amazon S3 object storage, you must grant permissions to a user account that you use to access Amazon buckets and folders. For more information, see Amazon S3 Storage Permissions.

    Azure Archive Storage

    If you create an instance of Microsoft 365 and on-premises Microsoft organization backups in Azure Blob Storage Archive access tier, you must grant permissions to a user account that you use to access Azure archive storage. For more information, see Azure Archive Storage Permissions.

    In This Section