Authentication
This section has content in regards of authentication of VBO against the Microsoft 365 infrastructure.
Method
Use Modern App-only Authentication which gives you the best performance, most security and is most future proof.
Microsoft announced to disable Basic Authentication beginning from October 1, 2022. While this was already postponed some times and might be again, it is not good to rely on Basic Auth anymore.
Only enable Legacy Protocols with Modern Authentication or even go down to Basic Authentication if you really need one of the features which are today not available via Microsoft’s Graph API (and thus not with Modern App-Only authentication). Please see Veeam KB3146 for limitations that come with Modern Authentication.
Least Privilege Approach
To improve security use the least privilege approach and only assign the permissions which are required for the task at hand.
When using the wizard to add a new organization and create the Azure AD application from within the wizard, this application will have all possible permissions VB365 might need. However, you might only need a portion of it, because you are only backing up Exchange, or you want to separate the restore permissions to another application.
On the Veeam Help Center Required Azure AD Permissions you can find a detailed list of permissions and what they are used for. With this information you can build a least privilege model and only assign the required permissions to the Azure AD applications.