Link Search Menu Expand Document

Least Privileges

It is a common best practice to provide only the necessary permissions for the task at hand. That’s the least privilege approach. The Veeam Help Center Required Azure AD Permissions lists combined privileges for backup and restore of all supported Microsoft 365 applications, which is convenient but does not meet this demand.

This section concentrates on providing information for least privilege access with modern-only authentication.

For restoring items of a service you need to provide the required (✔) permissions to the Azure AD application.

Checkout out the vbo-create-azure-ad-app script on Github and the corresponding blog article Create Azure AD apps automatically to create these applications for granular use cases automatically.

Backup

All listed permissions are of the type Application.

API Application Permission Name Exchange SharePoint & OneDrive Teams
Graph


Directory.Read.All
Group.Read.All
Sites.ReadWrite.All  
TeamSettings.ReadWrite.All    
Exchange full_access_as_app  
SharePoint
Sites.FullControl.All  
User.Read.All  

For a more detailed description for each permission, please check the Veeam Help Center Required Azure AD Permissions.

Interactive Restore

The interactive restore involves authentication with the device code flow. This is the default for all restores via the Veeam Explorers and can also be used via the RESTful API.

Restore will require user credentials with membership of either Global Administrator or the respective service administrators (Exchange Administrator, SharePoint Administrator, Teams Administrator).

The application must have the Allow public client flows setting configured to Yes. The setting can be found in the Authentication/Advanced Settings section.

All listed permissions are of the type Delegated.

API Delegated Permission Name Exchange SharePoint & OneDrive Teams
Graph

Directory.Read.All
Group.ReadWrite.All    
offline_access
Exchange EWS.AccessAsUser.All    
SharePoint
AllSites.FullControl  
User.ReadWrite.All  

This list ignores full_access_as_user permission which is only required for the Germany region.

Programmatic Restore (RESTful API)

When using the RESTful API you can also use the certificate authentication for restores.

All listed permissions are of the type Application.

API Application Permission Name Exchange SharePoint & OneDrive Teams
Graph
Directory.Read.All  
Group.ReadWrite.All  
Exchange full_access_as_app    
SharePoint
Sites.FullControl.All  
User.Read.All  

For Exchange restores you’ll need an account to be used for impersonation, though you won’t need the credentials for this account.

Resources


Back to top

Copyright © 2019-2021 Solutions Architects, Veeam Software.