Least Privileges
It is a common best practice to provide only the necessary permissions for the task at hand. That’s the least privilege approach. The Veeam Help Center Required Azure AD Permissions lists combined privileges for backup and restore of all supported Microsoft 365 applications, which is convenient but does not meet this demand.
This section concentrates on providing information for least privilege access with modern-only authentication.
For restoring items of a service you need to provide the required (✔) permissions to the Azure AD application.
Checkout out the vbo-create-azure-ad-app script on Github and the corresponding blog article Create Azure AD apps automatically to create these applications for granular use cases automatically.
Backup
All listed permissions are of the type Application.
| API | Application Permission Name | Exchange | SharePoint & OneDrive | Teams |
|---|---|---|---|---|
| Graph
| Directory.Read.All | ✔ | ✔ | ✔ |
Group.Read.All | ✔ | ✔ | ✔ | |
Sites.ReadWrite.All | ✔ | ✔ | ||
TeamSettings.ReadWrite.All | ✔ | |||
| Exchange | full_access_as_app | ✔ | ✔ | |
| SharePoint
| Sites.FullControl.All | ✔ | ✔ | |
User.Read.All | ✔ | ✔ |
For a more detailed description for each permission, please check the Veeam Help Center Required Azure AD Permissions.
Interactive Restore
The interactive restore involves authentication with the device code flow. This is the default for all restores via the Veeam Explorers and can also be used via the RESTful API.
Restore will require user credentials with membership of either Global Administrator or the respective service administrators (Exchange Administrator, SharePoint Administrator, Teams Administrator).
The application must have the Allow public client flows setting configured to Yes. The setting can be found in the Authentication/Advanced Settings section.
All listed permissions are of the type Delegated.
| API | Delegated Permission Name | Exchange | SharePoint & OneDrive | Teams |
|---|---|---|---|---|
| Graph
| Directory.Read.All | ✔ | ✔ | ✔ |
Group.ReadWrite.All | ✔ | |||
offline_access | ✔ | ✔ | ✔ | |
| Exchange | EWS.AccessAsUser.All | ✔ | ||
| SharePoint
| AllSites.FullControl | ✔ | ✔ | |
User.ReadWrite.All | ✔ | ✔ |
This list ignores full_access_as_user permission which is only required for the Germany region.
Programmatic Restore (RESTful API)
When using the RESTful API you can also use the certificate authentication for restores.
All listed permissions are of the type Application.
| API | Application Permission Name | Exchange | SharePoint & OneDrive | Teams |
|---|---|---|---|---|
| Graph
| Directory.Read.All | ✔ | ✔ | |
Group.ReadWrite.All | ✔ | ✔ | ||
| Exchange | full_access_as_app | ✔ | ||
| SharePoint
| Sites.FullControl.All | ✔ | ✔ | |
User.Read.All | ✔ | ✔ |
For Exchange restores you’ll need an account to be used for impersonation, though you won’t need the credentials for this account.
Resources
- Veeam Help Center Required Azure AD Permissions
- vbo-create-azure-ad-app @ Github: A script to create the required Azure AD applications external to VBO
- Create Azure AD apps automatically @ Z8N: Blog article about using the PowerShell script to create least privilege apps