Configuring Veeam Backup for Microsoft Office 365 with Modern Authentication

Veeam Backup for Office 365

With Security Defaults being the norm in newly created Azure AD tenants and their respective Office 365 tenants, it’s a good time to look at how Veeam Backup for Office 365 offers modern authentication since version 3.

Setting up modern authentication requires these five steps after you’ve downloaded and installed Veeam Backup for Office 365:

  1. Creating an app registration in Azure AD
  2. Delegate the right permissions to the custom application
  3. Create a service account in Azure AD
  4. Create an app password for the service account
  5. Create a new organization in Veeam Backup for Office 365

Note:
For the purposes of this blogpost, I’m configuring Veeam Backup for Office 365 4b (version 4.0.0.2516).

 

Step 1: Creating an app registration in Azure AD

Now it’s time to create a Veeam Backup for Office 365-specific app registration. Follow these steps to do so:

  • Open a web browser and navigate to https://portal.azure.com.
  • Sign in with an account that has the Global administrator role assigned, or the combination of the Cloud application administrator, Privileged Role administrator and Application administrator roles.
  • Perform multi-factor authentication when prompted.
  • In the left navigation pane for the Azure Portal, click on Azure Active Directory.
  • In the Azure AD-specific navigation menu, click on App registrations.
  • In the main App registration pane, click the + New registration link in the taskbar.
    The Register an application pane appears.

Register an application for Veeam Backup for Office 365 (click for original screenshot)

  • For the Name field, enter a meaningful name for the app registration that follows your organization’s naming convention for app registrations.
  • Click the Register button at the bottom of the pane.

You have now created an application registration with default permissions and are taken directly to its Overview pane.

 

Step 2: Delegate the right permissions to the custom application

The default permissions are a bit excessive on one side, but also lacking on the other side. It’s time to set the right permissions. Follow these steps to do so:

  • On the App registration’s Overview pane, note the value for Application (Client) ID. Copy it into a Notepad window, for instance, as it’s a GUID and you don’t want to enter it incorrectly. We need to enter this value into Veeam Backup for Office 365 when configuring the organization.
  • Click on the View API permissions button.
    The VBO-AppRegistrationName | API Permissions page appears.
  • On the line that lists the User.Read permissions, click on the three dots at the end of the line and click Remove Permission to remove this default permission. Veeam Backup for Microsoft Office 365 does not need this particular permission.

Veeam Backup for Office 365 API permissions (click for original screenshot)

  • Click Yes, remove to do so.
  • Click the + Add a permission button.
    The Request API permissions page appears.

    • Click the Microsoft Graph tile.
    • Click the Application permissions tile.
    • In the list of permissions, select Directory.Read.All under Directory.
    • In the list of permissions, select Group.Read.All under Groups.
    • Click the Add permissions button at the bottom of the pane.
  • You are taken back to the VBO-AppRegistrationName | API Permissions page.
  • Click the + Add a permission button again.
    The Request API permissions page appears.

    • Click the Exchange API tile.
    • Click the Application permissions tile.
    • Select the full_access_as_app permission.

Request API permissions for the Veeam Backup for Office 365 App Registration (click for original screenshot)

  • Click the Add permissions button at the bottom of the pane.
    You are taken back to the VBO-AppRegistrationName | API Permissions page.
  • Click the + Add a permission button again.
    The Request API permissions page appears.
    • Click the SharePoint API tile.
    • Click the Application permissions tile.
    • Select the Sites.FullControl.All permission under Sites.
    • Click the Add permissions button at the bottom of the pane.
  • Back on the VBO-AppRegistrationName | API Permissions page, click the Grant admin consent for TenantName button.
  • Answer Yes to the question ‘Do you want to grant consent for the requested permissions for all account in TenantName? This will update any existing admin consent records this application already has to match what is listed below.’

The app registration in Azure AD now has the required API permissions to interact with Office 365’s Exchange Online, SharePoint Online and OneDrive for Business:

  • In the VBO-AppRegistrationName navigation pane, on the left side, click on Certificates & secrets.
  • In the VBO-AppRegistrationName | Certificates & secrets pane, click the + New client secret button.
  • In the Add a client secret modal, type a description for the shared secret in the Description field if you think this helps identify your actions.
  • Select an expiration time that is appropriate for your organization, or except the default of 1 year.
  • Click the Add button.
  • Copy the value of the client secret and note it down.

You are now done with specifying the app registration for Veeam Backup for Office 365.

Note:
As you might have noticed, the default lifetime of a client secret for an app registration is valid for 1 year. After this period, you’ll have to perform the steps again, then update the information in Veeam Backup for Office 365.

Step 3: Create a service account in Azure AD

The next item on our list is to create the service account Veeam Backup for Office 365 in Azure Active Directory. Follow these steps to do so:

  • In the Azure Portal, click on Azure Active Directory in the left most navigation menu. This leads back to the Overview page of the Azure AD tenant.
  • In Azure AD’s navigation menu, click on Users.
  • click the + New user link in the taskbar.
    The New User pane appears.
  • Provide a User name.
  • Scroll down a bit to the Password area. Underneath the greyed-out field for password, select the Show Password option. Copy the password.
  • Scroll down a bit further to the Groups and Roles are.
  • Click the User link, next to Roles to change the roles for the service account.
    The Directory roles pane appears.
  • Select the following two roles from the list of Directory roles:
    • Exchange administrator
    • SharePoint administrator
  • Click the Select button at the bottom of the pane.
    You are lead back to the New User pane.
  • Click the Create button at the bottom of the pane.
  • Close the Azure Portal by closing your browser.

Memberships to the Exchange administrator or SharePoint administrator role automatically requires multi-factor authentication when signing in when Security Defaults are enabled.

 

Step 4: Create an app password for the service account

Let’s sign in one time with the Veeam Backup for Office 365 service account to configure a strong password and configure multi-factor authentication:

  • Open an incognito window of your web browser.
  • Navigate to https://myprofile.microsoft.com.
  • At the sign-in page enter the userPrincipalName for the Veeam Backup for Office 365 service account. Click the Next button afterward.
  • Enter the password.
  • Now, update the password by typing in or pasting the current password and then typing in or pasting the new strong password twice. Click Sign in when done.
  • You’ll be required to setup multi-factor authentication as your organization needs more information to keep the account secure. Click Next.

Keep your account secure (click for original screenshot)

  • Register the Microsoft Authenticator app first:
    • Download the Microsoft Authenticator App on a mobile device.
    • On the Start by getting the app screen, click Next.
    • On the Set up your account screen, click Next.
    • Open the Microsoft Authenticator App on the mobile device. In the right top corner of the app tap the + sign, select Work or school account and scan the QR code.
    • In the web browser click Next.
      Microsoft performs the multi-factor authentication method a first time. Approve the sign-in on the mobile device.
    • In the web browser click Next.
  • Now, register the phone method:
    • On the Phone screen, select your country and enter the phone number.
    • Click Next.
      Microsoft sends you a one-time passcode in a text message.
    • Type the passcode on the Phone screen in the browser.
    • Click Next.
    • In the web browser click Next.
  • Click the Done button.
  • Sign in again.
    You will be taken to the My account experience.

My Profile (click for original screenshot)

  • Click the UPDATE INFO > link on the Security info tile to add sign-in methods.
  • Click the + Add method link at the top of the list of currently configured sign-in methods.
    The Add a method pop-up appears.
  • In the Add a method pop-up, select App password from the drop-down list of methods.
  • Enter a meaningful name for the app password. Include the service and server name as a bare minimum.
  • Click Next.
  • Copy the app password.
  • Click Done.
  • Close the browser window.

 

Step 5: Create a new organization in Veeam Backup for Office 365

Perform the following actions to Create a new organization in Veeam Backup for Office 365:

  • Open Veeam Backup for Office 365 on the Windows Server installation where you’ve installed Veeam Backup for Microsoft Office 365.
  • In the top-left corner of the application, click Add Org from the taskbar.
    The ADD ORGANIZATION pop-up window appears.
  • On the Organization deployment type screen, click Next to select the default settings.
  • On the Office 365 connection settings screen, select your specific sovereign Office 365 region, or choose Default to choose the default Office 365 regions.

Veeam Backup for Office 365 - Office 365 connection settings (click for original screenshot)

  • Make sure Modern authentication is selected and click Next.

Veeam Backup for Office 365 - Exchange Online credentials (click for original screenshot)

  • On the Exchange Online Credentials screen;
    • Supply the Application (Client) ID for the app registration in Azure AD in the field for Application ID:.
    • Enter the application secret in the Application secret: field.
    • Supply the username and the app password for the Veeam Backup for Office 365 service account.
  • Click Next.

Now follow the rest of the steps to configure or reconfigure your Veeam Backup for Office 365 installation to your organization’s needs.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.