Data Backup

This section describes backup concepts of Veeam Data Cloud for Microsoft 365.

To back up Microsoft 365 data, Veeam Data Cloud uses Microsoft Entra ID (formerly Microsoft Azure Active Directory) applications.

The first Microsoft Entra application registration is created during the self-service onboarding process. You can either select to create the application registration automatically or manually:

If you choose to automatically connect Veeam Data Cloud to your Microsoft 365 tenancy, Veeam Data Cloud creates a new application registration and grants the required permissions.
If you choose to manually connect Veeam Data Cloud to your Microsoft 365 tenancy, you must manually grant the required permissions for the new or existing application registration. For more information on the required permissions, see Microsoft Entra Application Permissions.

You can also add a second Microsoft Entra application registration to increase the speed of your SharePoint backup. For more information, see Adding Second App Registration.

Microsoft Entra Enterprise Applications

For Veeam Data Cloud, Microsoft Entra ID automatically creates 3 Enterprise applications (not application registrations) in your tenant:

Veeam Data Cloud [EMEA, AMER, APJ]

When you log in to Veeam Data Cloud for Microsoft 365 with a Microsoft account for the first time, you must accept the following permissions: View your basic profile, Maintain access to data you have given it access to. After you accept the permissions, the Veeam Data Cloud [EMEA, AMER, APJ] Enterprise application is created with those permissions. Veeam Data Cloud uses this Enterprise application to authenticate the users who sign in to Veeam Data Cloud with Microsoft accounts.

Veeam Data Cloud Registration [EMEA, AMER, APJ]

During the self-service onboarding process, if you choose to automatically connect Veeam Data Cloud to Microsoft 365, you must accept the following permissions upon entering the device code: Application.readwrite.all, AppRoleAssignment.ReadWrite.All, Directory.ReadWrite.All, Application.ReadWrite.All, RoleManagement.ReadWrite.Directory. After you accept the permissions, the Veeam Data Cloud Registration [EMEA, AMER, APJ] Enterprise application is created. Veeam Data Cloud uses this Enterprise application to automatically create the Veeam Data Cloud for Microsoft 365 application registration that is used for backup and restore.
During the self-service onboarding process, if you choose to manually connect Veeam Data Cloud to Microsoft 365, the Veeam Data Cloud Registration [EMEA, AMER, APJ] Enterprise application is not created. You must manually create the Veeam Data Cloud for Microsoft 365 application registration. For more information on how to create a new application registration, see this Microsoft article.

Once you have successfully onboarded, you can delete the Veeam Data Cloud Registration [EMEA, AMER, APJ] Enterprise application. When using features such as uploading certificates, Veeam Data Cloud will ask for the permissions and create the Veeam Data Cloud Registration [EMEA, AMER, APJ] Enterprise application again.

Veeam Data Cloud for Microsoft 365

When you run your first backup session, the Veeam Data Cloud for Microsoft 365 Enterprise application is created. Veeam Data Cloud uses this Enterprise application for backup and restore purposes.

NOTE

For Express or Premium, you must grant admin consent to a fourth Enterprise application. To view the required permissions for this Enterprise application, see Express or Premium Permissions for Microsoft Entra Application.

Backup Retention

Veeam Data Cloud for Microsoft 365 uses the snapshot-based retention mechanism to store the backed-up data. With each backup job run, Veeam Data Cloud captures a snapshot or state of a backed-up item, and saves it to the backup location. The item state comprises a cumulative set of item versions created for the item in Microsoft 365. The item state belongs to a specific restore point.

Snapshot-based retention works in the following way:

During the initial backup of an item, Veeam Data Cloud creates the first restore point with the initial item state. The item state contains all versions of the item that exist in Microsoft 365 at the moment when the backup is created.
When a user modifies the item in Microsoft 365 once again, Microsoft 365 creates a new version for the item.
During a subsequent backup session, Veeam Data Cloud creates a new restore point with a new item state. The new item state cumulatively includes all versions of the item created by Microsoft 365, including those that are already contained in the first restore point.
After the retention period for the first restore point expires, Veeam Data Cloud removes the restore point from the backup location — that is, removes the item state. The item itself remains in the backup location.

Veeam Data Cloud will repeat this operation for all subsequent restore points that contain newer states of the item until the retention period expires for the last restore point, and the last restore point is removed as well.

Retention is set to 7 years by default, and can be customized to offer an unlimited time period. To do this, contact Veeam Customer Support.

Once the data is backed up, you cannot delete it.

Backup and Restore of Public Folders

Veeam Data Cloud for Microsoft 365 supports backup and restore of public folders.

To back up and restore public folders, you must grant the following roles and permissions during onboarding:

The M365 Global Admin account that you use for onboarding must have the Owner role at the root level of the public folder hierarchy. For more information, see Granting Owner Role in PowerShell.
The M365 Global Admin account that you use for onboarding must have a valid Exchange Online license and an active mailbox within the Microsoft 365 organization.
To back up public folders and discovery search mailboxes in Microsoft 365 organizations, Veeam Data Cloud for Microsoft 365 needs access to Exchange Online PowerShell. To access Exchange Online PowerShell, the Microsoft Entra application must have the Exchange.ManageAsApp permission and the Global Reader role. For information on how to grant the Global Reader role, see Granting Global Reader Role to Microsoft Entra Application.

Consider the following limitations:

Backup and restore of public folders requires the Variable License Model.
Veeam Data Cloud for Microsoft 365 only backs up and restores public folders located under the IPM_SUBTREE folder.
When backing up public mailboxes, only select the root public mailbox. Any child folders of the selected public mailbox will be backed up as well.
Veeam Data Cloud for Microsoft 365 does not back up permissions for sharing mailbox folders and calendar.

To back up public folders, select the public folders that are listed as M365 users when you create a backup policy. For more information, see Performing Backup.

To restore public folders, explore your Outlook backups, select the public folder mailbox and restore it. For more information, see Restoring Outlook Mailboxes.