Link Search Menu Expand Document

Least Privileges

It is a common best practice to provide only the necessary permissions for the task at hand. That’s the least privilege approach. The Veeam Help Center Required Azure AD Permissions lists combined privileges for backup and restore of all supported Microsoft 365 applications, which is convenient but does not meet this demand.

This section concentrates on providing information for least privilege access with modern-only authentication.

For restoring items of a service you need to provide the required (✔) permissions to the Azure AD application.

Checkout out the vbo-create-azure-ad-app script on Github and the corresponding blog article Create Azure AD apps automatically to create these applications for granular use cases automatically.

Permission Types - Application vs Delegated

Microsoft knows two types of permissions for Azure AD applications (apps), which are Application and Delegated.

An Application type permission is given to the app itself. The app can act without a signed-in user present with the given permissions. Application permissions for an app are also it’s effective permissions.

The Delegated type permission is also given to the app, but they require a signed-in user on who’s behalf the app will act. The app can only gain a given permission of the type Delegated when the user using the app also has this permission. The effective permissions of the app are based on the permissions of the user and an app can never have more permissions than the user using it.

More details can be found in the Microsoft Documentation.

Backup

All listed permissions are of the type Application.

API Application Permission Name Exchange SharePoint & OneDrive Teams
Graph


Directory.Read.All
Group.Read.All
Sites.ReadWrite.All  
TeamSettings.ReadWrite.All    
Exchange full_access_as_app  
SharePoint
Sites.FullControl.All  
User.Read.All  

For a more detailed description for each permission, please check the Veeam Help Center Required Azure AD Permissions.

Interactive Restore

The interactive restore involves authentication with the device code flow. This is the default for all restores via the Veeam Explorers and can also be used via the RESTful API.

Restore will require user credentials with membership of either Global Administrator or the respective service administrators (Exchange Administrator, SharePoint Administrator, Teams Administrator). For Exchange restores the user must also have the ApplicationImpersonation role to be able to restore to not-owned mailboxes.

The application must have the Allow public client flows setting configured to Yes. The setting can be found in the Authentication/Advanced Settings section.

All listed permissions are of the type Delegated.

API Delegated Permission Name Exchange SharePoint & OneDrive Teams
Graph

Directory.Read.All
Group.ReadWrite.All    
offline_access
Exchange EWS.AccessAsUser.All    
SharePoint
AllSites.FullControl  
User.ReadWrite.All  

This list ignores full_access_as_user permission which is only required for the Germany region.

Programmatic Restore (RESTful API)

When using the RESTful API you can also use the certificate authentication for restores.

All listed permissions are of the type Application.

API Application Permission Name Exchange SharePoint & OneDrive Teams
Graph
Directory.Read.All  
Group.ReadWrite.All  
Exchange full_access_as_app    
SharePoint
Sites.FullControl.All  
User.Read.All  

For Exchange restores you’ll need an account to be used for impersonation, though you won’t need the credentials for this account.

Why Write Permissions for Backup?

Some of the data Veeam needs to read is only available with write permissions. Though only read operations are performed, the read permissions are not enough to use some API calls.

An example for this is: Sites.ReadWrite.All is required to query the Azure AD for a list of SharePoint Online sites and getting a list of download URLs for files and their versions.

Resources


Back to top

Copyright © 2019-2022 Solutions Architects, Veeam Software.