How to add organization with modern app-only authentication and use an existing Azure AD application at Veeam Backup for Microsoft 365

When you add an organization using the modern app-only authentication method, you are required to provide Azure AD application settings. Please reference following link to create and configure Azure AD Application permissions.

How to configure Azure AD Application Permissions for Modern App-Only Authentication of Veeam Backup for Microsoft 365 – CarySun

Veeam Backup for Microsoft 365 uses such an application to establish a connection to your Microsoft 365 organizations with enabled security defaults and maintain data transfer during backup and restore sessions.

With modern app-only authentication, you cannot use Veeam Backup account; only communications through Azure AD application is possible.

Required User Account Roles for Azure AD Applications

Azure AD application uses a user account to log in to Microsoft 365. This user account must be assigned the following roles:

  • Global Administrator — required for adding organizations with modern app-only authentication, creating backup applications, registering Azure AD application for Restore Portal and creating Azure AD application for the Microsoft Azure service account.
  • ApplicationImpersonation and Global Administrator or Exchange Administrator — required for data restore with Veeam Explorer for Microsoft Exchange.
  • SharePoint Administrator or Global Administrator  — required for data restore with Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft OneDrive for Business.
  • Teams Administrator or Global Administrator  — required for data restore with Veeam Explorer for Microsoft Teams.
  • Global Administrator — required for establishing a connection to a service provider in the Microsoft 365 Backup as Service scenario.

1.Login to Veeam Backup for Microsoft 365 Manager server.

2.Open Veeam Backup for Microsoft Office 365 console.

3.On the Veeam Backup for Microsoft Office 365 console page, right-click Organizations, select Add organization.

4.On the Organization deployment type, select Microsoft 365 as organization type, select all services as you want to protect, click Next.

5.On the Microsoft 365 connection settings page, select Default as Region, select Modern authentication as authentication method, click Next. Make sure to leave the Allow for using legacy authentication protocols check box cleared. This check box allows you to add an Microsoft 365 organization with disabled security defaults.

6.On the Microsoft 365 connection settings page, select Use a existing Azure AD application automically, click Next.

8.On the Exchange Online credentials page, In the Username field, specify user account as Username.

You can enter any account that belongs to your Microsoft 365 organization using the following format: name@<domain_name>.<domain>. For example, user@abc.com.

Note:

If you select only SharePoint Online and OneDrive for Business services to protect at the Select Organization Deployment Type step, Veeam Backup for Microsoft 365 displays the Specify organization name field instead. In this field, specify a domain name of your Microsoft 365 organization without the user name. For example, abc.com

9.In the Application ID field, specify an identification number of your Azure AD application.

10.In the Application certificate field, click Install.

11.On the Select certificate type page, select Generate a new self-signed certificate, click Next.

When generating a new self-signed certificate, Veeam Backup for Microsoft 365 will register it automatically.

12.On the Generate certificate page, click Finish.

13.Select the Allow this application to enable export mode for SharePoint Web Parts check box to allow Veeam Backup for Microsoft 365 to back up web parts of your Microsoft SharePoint websites, click Next.

Veeam Backup for Microsoft 365 automatically alters the allowexport property of each web part and sets this property to true. After the allowexport property is set to true, a web part can be backed up without any limitations

14.On the Log in Microsoft 365 page, click copy code, click the sign in link.

15.Enter code, click Next.

16.Enter your account name, click Next. Make sure to sign in with the user account that has the Global Administrator role.

15.Enter password, click Sign in.

16.On the sign in confirm page, click Continue.

17.Close sign in window after make sure signed in successfully.

18.On the Log in to Microsoft 365 page, make sure your are authenticated to Microsoft 365, click Next.

19.Make sure connection to be established, click Finish.

20.Verify the Office 365 organization add successfully.

Hope you enjoy this post.

Cary Sun

Twitter: @SifuSun

Web Site: carysun.com

Blog Site: checkyourlogs.net

Blog Site: gooddealmart.com

About Post Author

Leave a Reply