Authorization for Restore Operators
Veeam Backup for Microsoft 365 allows restore operators to perform self-service restore of backed-up data using Restore Portal. For more information about Restore Portal, see the Data Restore Using Restore Portal section of the Veeam Backup for Microsoft 365 User Guide.
To access Restore Portal using the Veeam Backup for Microsoft 365 REST API, a restore operator must obtain an assertion from Microsoft Identity platform using the MSAL protocol. An assertion is a document in the JSON format that contains an access token and refresh token for a Microsoft Entra application used for data restore. Once a restore operator provides the assertion to the Veeam Backup for Microsoft 365 REST API server, they can obtain an access token from the Veeam Backup for Microsoft 365 REST API server and continue working with REST API in the regular way.
|
For more information on authentication against the Microsoft Identity platform, see Microsoft Docs. |
The following example illustrates how to obtain an assertion with an access token.
- Obtain an MSAL access token through the Microsoft Graph API. To do this, send the POST HTTPS request to the /devicecode endpoint of the Microsoft Identity platform authentication server. In the request body, provide the application ID and permissions required for the application.
Request: POST https://login.microsoftonline.com/<tenant>/oauth2/v2.0/devicecode
Content-type: application/x-www-form-urlencoded
Request Body: client_id=<application_id>&scope=api%3A%2F%2F<application_id>%2Faccess_as_user openid profile offline_access |
where:
- <tenant> — Microsoft 365 organization name in the *.onmicrosoft.com format. For example: abc.onmicrosoft.com.
- <application_id> — ID of the Microsoft Entra application used to connect to Restore Portal. For more information on how to get this parameter value, see Get Restore Portal Settings.
- scope — permissions for the application.
Wait for the response from the server.
Response Body: { "user_code":"...", "device_code":"...", "verification_uri":"https://microsoft.com/devicelogin", "expires_in":900, "interval":5, "message":"To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ... to authenticate." } |
- Follow the link obtained in the verification_uri element of the response body and authenticate using credentials of the Microsoft 365 organization and user code obtained in the user_code element of the response body at the step 1.
- Obtain an assertion with an access token through the Microsoft Graph API. To do this, send the POST HTTPS request to the /token endpoint of the Microsoft Identity platform authentication server. In the request body, provide the application ID and device code.
Request: POST https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
Content-type: application/x-www-form-urlencoded
Request Body: grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=<application_id>&device_code=<device_code> |
where:
- <tenant> — Microsoft 365 organization name in the *.onmicrosoft.com format. For example: abc.onmicrosoft.com.
- <application_id> — ID of the Microsoft Entra application used to connect to Restore Portal that you specified at the step 1.
- <device_code> — device code obtained in the device_code element of the response body at the step 1.
Wait for the response from the server.
Response Body: { "token_type":"Bearer", "scope":"...", "expires_in":3599, "ext_expires_in":3599, "access_token":"<access_token>", "refresh_token":"<refresh_token>" } |
- Log in to the Veeam Backup for Microsoft 365 REST API. To do this, send the POST HTTPS request to the Veeam Backup for Microsoft 365 REST API token path. In the request body, provide the access token obtained in the response at the step 3.
Request: POST https://abc.tech.local:4443/v8/token
Content-type: application/x-www-form-urlencoded
Request Body: grant_type=operator&client_id=<userId.tenantId>&assertion=<access_token> |
where:
- <userId.tenantId> — user ID and tenant ID. For information on how to obtain these values, see Obtaining User ID and Tenant ID.
- <access_token> — access token obtained in the access_token element of the response body at the step 3.
Alternatively, you can use Swagger UI. In this case, you must provide values for the following parameters:
- From the grant_type drop-down list, select operator.
- For the client_id parameter, enter the user ID and tenant ID in the following format: userId.tenantId. For information on how to obtain these values, see Obtaining User ID and Tenant ID.
- For the assertion parameter, enter the access token obtained in the access_token element of the response body at the step 3.
Once a restore operator has logged in to the Veeam Backup for Microsoft 365 REST API, you can create a restore session to the restore operator. For more information, see Create Restore Session for Restore Operator.
Obtaining User ID and Tenant ID
To provide a value for the client_id parameter, you must obtain a user ID and tenant ID. You can obtain these values in one of the following ways:
- Use the Microsoft Graph API.
- Request an additional access token. To do this, send the POST HTTPS request to the /token endpoint of the Microsoft Identity platform authentication server. In the request body, provide the application ID and the refresh token obtained at the step 3 of the authorization procedure.
Request: POST https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
Content-type: application/x-www-form-urlencoded
Request Body: client_id=<application_id>&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default openid profile offline_access&grant_type=refresh_token&refresh_token=<refresh_token> |
- Using the obtained access token, send the following GET HTTPS request to obtain a user ID:
Request: GET https://graph.microsoft.com/v1.0/me?$select=id
Content-type: application/x-www-form-urlencoded |
- Using the obtained access token, send the following GET HTTPS request to obtain a tenant ID:
Request: GET https://graph.microsoft.com/v1.0/organization?$select=id
Content-type: application/x-www-form-urlencoded |
- Use an external tool (for example, you can view the required parameter values in Microsoft Entra ID (formerly Microsoft Azure Active Directory).
- Decode the access token obtained at the step 3 of the authorization procedure. Then collect values of the following parameters:
- oid — user ID
- tid — tenant ID