Role Description Misc.

Required to back up Microsoft

SharePoint Admin
SharePoint Sites.

You can assign the Global Admin

View-only Configuration role that overrides these roles.
Required to get a list of available
groups and users.
View-Only Recipients

Granting SharePoint Administrator Role in PowerShell

To grant the SharePoint Administrator role using PowerShell (for Microsoft SharePoint Online organizations),
use the following code snippet.

Connect-MsolService
$role=Get-MsolRole -RoleName "SharePoint Administrator"
$accountname="example@domain.com"
Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name

The $accountname variable must be a user UPN (example@domain.com).

The MSOL module can be downloaded from this Microsoft page.

24 | Veeam Backup for Microsoft Office 365 | User Guide

Microsoft Teams
To back up Microsoft Teams data, Veeam Backup for Microsoft Office 365 requires access to the Exchange
mailbox of the group associated with a team and to the SharePoint site of this group. Thus, the Veeam Backup
account that you use to add an organization using modern authentication with legacy protocols allowed or basic
authentication must have permissions required for backup of Exchange Online and SharePoint Online data. For
more information, see Microsoft Exchange Organizations and Microsoft SharePoint and OneDrive for Business.

In addition, the Veeam Backup account that you use to add an organization must meet the following
requirements:

• The account must have a Microsoft Office 365 license that permits access to Microsoft Teams API. The
minimum sufficient license is Microsoft Teams Exploratory experience.

• The account must have the Team Administrator role assigned.

NOTE:

Consider the following:

• In case you add an organization in Veeam Backup for Microsoft Office 365 using the modern
authentication method with legacy protocols allowed, and specify different accounts to connect to
Microsoft Exchange and Microsoft SharePoint, the required license and role must be assigned to the
account used to connect to Microsoft SharePoint.
• For more information about permissions required to restore Microsoft Teams data from backups
created by Veeam Backup for Microsoft Office 365, see Required Permissions for Veeam Explorer for
Microsoft Teams.

Azure AD Application Permissions

This section explains required permissions for Azure AD applications that you use to back up and restore data
from/to your Microsoft Office 365 organizations.

For more information about permissions in Azure, see this Microsoft article.

Requirements for Modern App-Only Authentication

The following table lists permissions for Azure AD applications that are granted automatically by Veeam Backup
for Microsoft Office 365 when you add organizations using the modern app-only authentication method.

If you prefer to use a custom application of your own, make sure to grant all the permissions listed in this table
manually.

API Permission name Type Usage Description

Application Backup Querying Azure AD for

Microsoft organization properties, the list of
Directory.Read.All
Graph users and groups and their
properties.

25 | Veeam Backup for Microsoft Office 365 | User Guide

 API Permission name Type Usage Description

Delegated1 Restore Querying Azure AD for

organization properties, the list of
users and groups and their
properties.

Group.Read.All Application Backup Querying Azure AD for the list of

groups and group sites.

Group.ReadWrite.All Application2 Restore Recreating in Azure AD an

associated group in case of a
deleted team site restore.

This permission is only required for

restore of SharePoint site data
with Azure AD applications using a
certificate. The operation is
available through RESTful API and
PowerShell.

Delegated1 Restore Recreating in Azure AD an

associated group in case of teams
restore.

offline_access Delegated1 Restore Obtaining a refresh token from

Azure AD.

Sites.ReadWrite.All Application Backup Querying Azure AD for the list of

sites and getting download URLs
for files and their versions.

TeamSettings.ReadWrite.All Application Backup Accessing archived teams to

backup.

Application2 Restore Restoring teams to the archived

state.

EWS.AccessAsUser.All Delegated1 Restore Accessing mailboxes as the signed-

in user (impersonation) through
EWS to restore.

full_access_as_app Application Backup Reading mailboxes content to

backup.

26 | Veeam Backup for Microsoft Office 365 | User Guide

 API Permission name Type Usage Description

Office 365 full_access_as_user Delegated1 Restore Reading the current state and
Exchange restoring mailboxes content.
Online
This permission is only required
when you add an organization in
the Germany region.

AllSites.FullControl Delegated1 Restore Reading the current state and

restoring SharePoint sites and
OneDrive accounts content.

Application Backup Reading sites and OneDrive

accounts content to backup.

Sites.FullControl.All
Application2 Restore Reading the current state and
restoring SharePoint sites and
SharePoint OneDrive accounts content.

Application Backup Reading OneDrive accounts to

backup (getting site IDs).
User.Read.All
Application2 Restore Resolving OneDrive accounts to
restore (getting site IDs).

User.ReadWrite.All Delegated1 Restore Resolving OneDrive accounts to

restore (getting site IDs).

1
Permissions of the Delegated type are used for data restore using the device code flow.
2
Permissions of the Application type are used for data restore using an application certificate.

27 | Veeam Backup for Microsoft Office 365 | User Guide

Checking Permissions for Office 365 Exchange Online API
To check Office 365 Exchange Online API permissions, do the following:

1. Sign in to the Azure portal.

2. Go to Azure Active Directory > App registrations, and select an application.

3. Select API permissions > Add a permission > APIs my organization uses.

4. Select Office 365 Exchange Online API in the list, check its permissions and configure them, if needed.

Backup Application Permissions

The following table lists required permissions for Azure AD applications that you add as backup applications.

API Permission name Type Usage Description

Sites.ReadWrite.All Getting download URLs for files and

Microsoft Graph
their versions.

Sites.FullControl.All Reading sites and OneDrive accounts

Application Backup
content to backup.
SharePoint
User.Read.All Reading OneDrive accounts to backup
(getting site IDs).

Required Azure AD Application Settings

For data restore using an Azure AD application, the following settings must be specified for the application in
Microsoft Azure:

1. In the Azure AD application settings, the Treat application as a public client option must be set to Yes. For
more information on application settings, see this Microsoft article.
Note that this option is not available in Microsoft Azure for the Germany region. In this region, you must
register Azure AD applications used for backup and restore as applications of the Public client/Native type.

2. In the Azure AD application settings, a redirect URI must be specified for the application. For more
information, see this Microsoft article.
When creating a new Azure AD application automatically, Veeam Backup for Microsoft Office 365 specifies
http://localhost/ as a redirect URI.

28 | Veeam Backup for Microsoft Office 365 | User Guide

Required User Account Roles for Azure AD Applications
The account that the Azure AD application will use to log in to Microsoft Office 365 must be assigned the
following roles:

• Global Administrator or Exchange Administrator — required for data restore with Veeam Explorer for
Microsoft Exchange.

• Global Administrator or SharePoint Administrator — required for data restore with Veeam Explorer for
Microsoft SharePoint and Veeam Explorer for Microsoft OneDrive for Business.

• Global Administrator or Teams Administrator — required for data restore with Veeam Explorer for
Microsoft Teams.

• Global Administrator — required for establishing a connection to a service provider in the Office 365
Backup as a Service scenario.

Requirements for Modern Authentication with Legacy

Protocols Allowed
The following table lists required permissions that must be granted to Azure AD applications to perform a
backup for organizations with modern authentication with legacy protocols allowed.

API Permission name Type Usage Description

Directory.Read.All Querying Azure AD for organization

properties, the list of users and
groups and their properties.

Microsoft
Group.Read.All Querying Azure AD for the list of
Graph
groups and group sites.

TeamSettings.ReadWrite.All Accessing archived teams to

backup.
Application Backup

full_access_as_app Reading mailboxes content to

Exchange
backup.

Sites.FullControl.All Reading sites and OneDrive

accounts content to backup.
SharePoint
User.Read.All Reading OneDrive accounts to
backup (getting site IDs).

29 | Veeam Backup for Microsoft Office 365 | User Guide

Considerations and Limitations
This section lists considerations and known limitations in Veeam Backup for Microsoft Office 365.

• Infrastructure

• Backup Repositories

• Object Storage Repositories

• Backup

• Restore

NOTE:

For the complete list of known issues and limitations in Veeam Backup for Microsoft Office 365 5.0, see
Release Notes. For limitations in Veeam Backup for Microsoft Office 365 functionality when protecting
organizations with modern app-only authentication, see this Veeam KB article.

Infrastructure
• The Veeam Backup for Microsoft Office 365 RESTful API Service, Veeam Backup for Microsoft Office 365
Service and Veeam Backup Proxy for Microsoft Office 365 Service must be started using the Local System
account.

• You cannot change the name of the Veeam Backup for Microsoft Office 365 server or change domains of
the server without resetting the configuration.

• If the organization has multiple domains, they must be configured as a mesh to cross authenticate to
download content from all domains with the service account. For more information, see this Microsoft
article.

• Microsoft Windows 2008 operating system is not supported; Windows 2008 R2 SP1 is the minimum
supported version.

• Veeam Backup for Microsoft Office 365 does not support encryption at-rest for the following types of
backup repositories:

o A local directory on a backup proxy server.

o Direct Attached Storage (DAS) connected to the backup proxy server.

o Storage Area Network (SAN).

o Network Attached Storage (SMB 3.0 shares).

• [For Microsoft Outlook] Preliminary releases such as Insider releases or releases provided by Monthly
Channel Updates are not supported; Veeam Backup for Microsoft Office 365 supports only RTM/GA
versions. For more information, see this Microsoft article.

• If the Veeam Backup for Microsoft Office 365 console and a management server are deployed on different
machines, make sure that the management server is trusted for delegation. For more information, see this
Microsoft article.

30 | Veeam Backup for Microsoft Office 365 | User Guide

 • If any of the machines with any of the Veeam Backup for Microsoft Office 365 components have been
renamed (or its FQDN has been changed), or any machine has been added to a different domain, then all
the components become unavailable to each other. If any of the above has occurred on a server that acts
as a backup proxy server, then such a server becomes Offline in the Veeam Backup for Microsoft Office
365 console. To make a server available, re-add it, as described in Adding Backup Proxy Servers.

• IPv6 is not supported for Microsoft Azure China region.

• Adding Microsoft Office 365 organizations using modern authentication with legacy protocols allowed is
not supported for Microsoft Azure China region.

• Adding Microsoft Office 365 organizations using modern app-only authentication is not supported for
Microsoft Azure Germany region.

• Microsoft Teams service is not supported for organizations in the Microsoft Azure China and Germany
regions.

• Notifications about backup jobs completion results may not work properly for Microsoft Azure China and
Germany regions.

Backup Repositories
• Backup repositories with enabled volume deduplication are not supported.

• A symbolic link that is configured as a mapped drive is not supported.

Object Storage Repositories

• Veeam Backup for Microsoft Office 365 does not support the $root container in Azure blob storage.

• Veeam Backup for Microsoft Office 365 does not support Glacier or Lifecycle policy in Amazon AWS Data
Management or Azure Archive storage class.

• Make sure the S3 Compatible device you are adding supports AWS v4 signature. For more information
about authentication requests, see this Amazon article.

• Veeam Backup for Microsoft Office 365 allows you to migrate data from a local backup repository to an
object storage repository, but not vice versa. For more information, see the Move-VBOEntityData section
of the Veeam Backup for Microsoft Office 365 PowerShell Reference.

Backup
• To back up user mailboxes, make sure that a mailbox has a valid Microsoft Office 365 license. Otherwise a
backup job will fail with the following error: "Error: Mailbox doesn't have a valid Microsoft Office 365
license".

• To back up public folder mailboxes, the Veeam Backup account must have a valid Exchange Online license
and an active mailbox within the Microsoft Office 365 organization.

• Veeam Backup for Microsoft Office 365 backs up public folders that are located under the IPM_SUBTREE
folder only.

• Project Web Apps are not supported for backup.

• On-premises service accounts cannot be used for multi-factor authentication.

• Backup of In-Place Hold Items is not supported for on-premises Microsoft Exchange 2013.

31 | Veeam Backup for Microsoft Office 365 | User Guide

 • You can select only the root public mailbox when backing up public mailboxes. The child folders of the
selected public mailbox will be backed up as well.

• If you modify a retention policy tag for a folder, Veeam Backup for Microsoft Office 365 will perform full
synchronization of that folder during the subsequent backup job session. For more information, see this
Microsoft article.

• A SharePoint Site Collection hierarchy is not supported if the root site was not configured. Make sure to
configure the root site in advance using a SharePoint site template of your choice. Otherwise, the
following error occurs: Error: Failed to find web template ID for: STS#-1. This organization account might
be missing a valid SharePoint license. Web configuration is not complete.

• When backing up Microsoft Exchange mailboxes, Veeam Backup for Microsoft Office 365 does not create a
new version of an item the Read/Unread property of which was changed. That said, the Read/Unread
property of each of the backed-up items always remains exactly the same as it was during the initial
backup.

• Veeam Backup for Microsoft Office 365 does not back up the following Microsoft Teams objects:

o Private channels

o One-on-one and group chats

o Audio and video calls

o Video recordings

o Contacts

o Calendar: information about meetings and meeting chats

o Code snippets in posts

o Banner notifications in posts

o Data of applications added as channel tabs that does not reside in the SharePoint document library of
the channel

• As part of Microsoft Teams data backup, Veeam Backup for Microsoft Office 365 backs up only the
following types of channel tabs: Website, Planner, Word, Excel, PowerPoint, Visio, PDF, Document
Library, OneNote, SharePoint, Stream, Forms, Power BI, Flow and Azure DevOps.

• Veeam Backup for Microsoft Office 365 cannot backup SharePoint Online sites if their domain names were
changed. For more information, see this Microsoft article.

Restore
• SharePoint sites with a red X over the symbol mean that there is an empty sector of the template and
supported content is available in the subsites.

• Microsoft Teams messages cannot be restored directly back to Teams.

• Veeam Backup for Microsoft Office 365 restores public folders that are located under the IPM_SUBTREE
folder only.

• Bulk restore (restore of multiple objects) is not supported for public folder mailboxes. Use the regular
per-object restore instead.

• Cross-tenant restore to Microsoft Office 365 is only possible for Exchange Online objects, not for
SharePoint sites.

32 | Veeam Backup for Microsoft Office 365 | User Guide