Be sure that you have the following permissions configured accordingly before you start using Veeam Backup for Microsoft Office 365.
Required Permissions for Veeam Backup for Microsoft Office 365
By default, Veeam Backup for Microsoft Office 365 (Veeam Backup for Microsoft Office 365 Service) is running under the Local System account. This account has administrative rights on the local machine. Do not change this account for the Veeam service.
Required Permissions for Exchange Organizations
The account that is used to connect to Exchange organizations (on-premises or online) should belong to that organization. Having a mailbox in that organization is optional. This account should have the following Exchange roles:
- Role Management role. To grant ApplicationImpersonation role.
- ApplicationImpersonation role. To allow this role assignment, the account must be granted the Organization Management permission.
- Organizations Configuration role. To manage role assignments.
- View-Only Configuration role. To obtain the necessary organization configuration parameters.
- View-Only Recipients role. To view mailbox recipients (required for job creation).
The ApplicationImpersonation role can be assigned by using any of the following methods:
- Automatically, when adding Exchange organizations.
- Manually, by using Exchange Management PowerShell cmdlets.
- Using the Microsoft Exchange control panel.
If you plan to use email notifications on backup job results, the mailbox address that will be used as a notification sender should be delegated the rights to connect to the SMTP server. See Configuring Notification Settings.
If you have created a new Exchange online organization, you may need to use the Exchange control panel or PowerShell cmdlet (Enable-OrganizationCustomization) to allow the ApplicationImpersonation role to perform any modifications and assignments. For more information, see this Microsoft article.
To assign the ApplicationImpersonation role using PowerShell, do the following:
- Connect to the Exchange server.
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchangeServerName/PowerShell/ -Authentication Kerberos -Credential $UserCredential
- Use the following cmdlet to grant the role.
New-ManagementRoleAssignment –Role ApplicationImpersonation –User "Administrator"
To obtain the list of users whom the ApplicationImpersonation role has already been granted, use the following cmdlet.
Get-ManagementRoleAssignment -Role "ApplicationImpersonation"
To remove the role, use the following cmdlet.
Get-ManagementRoleAssignment -RoleAssignee "Administrator" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment
- To be able to connect to the Veeam Backup for Microsoft Office 365 server from Veeam Explorers, you must use the account that belongs to the local Administrator group.
- To automatically resolve mailboxes in Veeam Explorer for Microsoft Exchange and filter out Exchange System Mailboxes, you must configure your account according to the following:
- This account can be included in the domain Administrators or Organization Management group.
- This account can be granted Read permission for the objectClass attribute of the Microsoft Exchange System Object container. Make sure to select the Apply these permissions to objects and/or containers within this container only option.
If the Read permission was not granted for the account that is a member of the Authenticated users group, Veeam Explorer will not be able to recover Exchange system mailbox objects. It is recommended to avoid processing such mailboxes by deselecting them in the backup job wizard.
- The account for restore to a public folder should own a mailbox on the target Microsoft Exchange server.
- To restore folders/items back to the Microsoft online organization, the account you specify in the restore wizard requires sufficient permissions to access the target production server. To restore to the on-premises Microsoft Exchange organization, the account you specify in the restore wizard will need the corresponding access rights:
- If you plan to use the account that owns a mailbox on target, make sure it has Full Access for that mailbox.
Full Access can be granted, for example, through impersonation, or through rights assignment with the following cmdlet:
Add-MailboxPermission –Identity “<target_mailbox>” -User “<user_account>” -AccessRights FullAccess –InheritanceType All
- If you plan to use the account that does not own a mailbox on the target server (for example, a service account), then access rights for the target mailbox should be granted through Exchange impersonation. For example, you can run the following cmdlet:
New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>" [-CustomRecipientScope "<scope>"]
The following cmdlet demonstrates how to narrow the group of users whom will be assigned appropriate roles to access the target mailbox. The CustomRecipientScope parameter is used with sample Organizational Unit specified as the scope:
New-ManagementRoleAssignment -Name "Exchange Test" -Role ApplicationImpersonation -User "Test User" -CustomRecipientScope "spain.local/TargetUsers"
Recalling Privileges Granted Through Impersonation
When finished working with Veeam Backup for Microsoft Office 365, you may want to recall the privileges assigned to the user through impersonation. For that, run the following cmdlet:
Remove-ManagementRoleAssignment -Name "<role_name>"