This is an archive version of the document. To get the most up-to-date information, see the current version.Required Permissions
Continue with this section to learn how to configure user accounts.
In This Section
- Required Permissions for Veeam Backup for Microsoft Office 365
- Required Permissions for Microsoft SharePoint and OneDrive for Business Organizations
- Required Permissions for Microsoft Exchange Organizations
- Assigning ApplicationImpersonation Role via PowerShell
- Required Permissions for Microsoft Graph
- Required Permissions for Restore
Required Permissions for Veeam Backup for Microsoft Office 365
Veeam Backup for Microsoft Office 365 requires a Local System account for the following services:
- Veeam Backup for Microsoft Office 365 Service
- Veeam Backup Proxy for Microsoft Office 365 Service
|
The Local System account must not be changed. |
Required Permissions for Microsoft SharePoint and OneDrive for Business Organizations
The account you are using to connect to Microsoft SharePoint organizations (on-premises or Online) must belong to that organization and must conform to the following:
- For on-premises Microsoft SharePoint organizations.
The account being used must be a member of the Farm Administrator group and must have the Site Collection Administrator role. This role can be assigned either automatically, when adding a new organization with SharePoint services, or manually, as described in Microsoft Organizations Management.
- For Microsoft SharePoint Online organizations.
The account being used must have either the Global Administrator role or SharePoint Administrator role.
|
The addition of Microsoft SharePoint Online organizations requires both the view-only configuration and view-only recipients roles to be assigned to the account. |
Assigning SharePoint Service Administrator role in PowerShell
To assign the SharePoint Service Administrator role using PowerShell (for Microsoft SharePoint Online organizations), use the following code snippet.
Connect-MsolService $role=Get-MsolRole -RoleName "SharePoint Service Administrator" $accountname=example@domain.com Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name |
The MSOL module can be downloaded from this Microsoft page.
The $accountname variable must be a user's UPN (e.g. example@domain.com).
Required Permissions for Microsoft Exchange Organizations
The account you are using to connect to Microsoft Exchange organizations (on-premises or Online) must belong to that organization and must have the following Exchange roles assigned:
- Role Management
This role is required to grant the ApplicationImpersonation role.
- ApplicationImpersonation
Can be assigned:
- When adding new Exchange organizations to the Veeam Backup for Microsoft Office 365 backup infrastructure.
- By using Exchange Management PowerShell cmdlets.
- Organization Configuration
This role is required to manage role assignments.
- View-Only Configuration
This role is required to obtain necessary configuration parameters.
- View-Only Recipients
This role is required to view mailbox recipients (required for backup job creation).
- Mailbox Search or Mail Recipients
Either role is required to back up groups.
- Reviewer or Owner
Either role is required to use impersonation to backup/restore public folders under the Default user.
Assigning ApplicationImpersonation Role via PowerShell
For On-Premises Microsoft Exchange Organizations
To assign the ApplicationImpersonation role for on-premises Microsoft Exchange organizations, do the following:
- Connect to the Exchange server, as described in this Microsoft article.
- Run the following cmdlet to grant the role.
New-ManagementRoleAssignment –Role ApplicationImpersonation –User "Administrator" |
For Microsoft Office 365 Exchange Organizations
To assign the ApplicationImpersonation role for Microsoft Office 365 Exchange organizations, do the following:
- Connect to the Exchange server:
- For Basic Authentication, see this Microsoft article.
- For Modern Authentication, see this Microsoft article.
- Run the following cmdlet to grant the role.
New-ManagementRoleAssignment –Role ApplicationImpersonation –User user.name@domain.com |
To obtain the list of users whom the ApplicationImpersonation role has already been granted, use the following cmdlet (for both on-premises and Online organizations).
Get-ManagementRoleAssignment -Role "ApplicationImpersonation" |
To remove the role, use the following cmdlet (for both on-premises and Online organizations).
Get-ManagementRoleAssignment -RoleAssignee "Administrator" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment |
Required Permissions for Microsoft Graph
For more information, see Understanding Microsoft Graph.
Required Permissions for Restore
For more information about how to configure user accounts to restore data, see: