Veeam Backup for Microsoft Office 365 uses the following components to connect to Exchange organizations and pass the authentication process:
- Exchange Web Services (EWS) and PowerShell to connect to on-premises Exchange organizations.
- Microsoft Graph for Office 365 organizations.
Authentication is possible by using either of the following methods.
Using Exchange Web Services (EWS)
When transferring data using EWS, the SSL connection is always established.
When transferring data using PowerShell, two methods are possible:
- Use SSL with Basic authentication. This method is recommended by Microsoft as it provides secure communication of user credentials (account and password) inside the encrypted SSL channel. See Connect to Exchange Online PowerShell.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
- Use SPN (Service Principal Name) and Kerberos authentication. To use this method, it is recommended to deploy Veeam Backup for Office 365 management server within the same domain as the Exchange server and provide access to the domain controller. You may also need to map the Exchange server to the hybrid domain. Consider that this method cannot be used for multiple servers included in CAS.
Use the setspn command-line utility to map the Kerberos service principal name to the Microsoft account. For more information, see the Setspn article.
setspn -A HTTP/Mail.hybridDomain.com ExchangeHost