Authentication Setup

To connect Veeam Backup for Microsoft Office 365 to the Office 365 backend, we need to configure the authentication and authorizations.

To connect and backup the data out of the Office 365 infrastructure, Microsoft is offering multiple endpoints and APIs with all their own characteristics for the different workloads. The most important “gateway” to the Office 365 infrastructure is Microsoft Graph. Microsoft Graph exposes the REST APIs to interact with the Office 365 infrastructure, which allows Veeam Backup for Microsoft Office 365 to backup or restore data.

Next to the Microsoft Graph interface, there are still some legacy application-specific APIs in use like the Exchange Web Services (EWS) API to interact with specific components of Exchange Online which are not accessible yet within the Graph APIs.

To access these APIs, we need to authenticate. Microsoft is using the Modern-Authentication which offers MFA (Multi-Factor-Authentication) and App registrations. To access the Graph API’s, we use Modern authentication natively, to access the legacy APIs we need to use the old basic/legacy authentication methods based on service accounts.

Since the 4c release of Veeam Backup for Microsoft Office 365 we have three different authentication methods.

For new installations we advise to make use of the Modern Authentication only (without legacy authentication protocols enabled). At some point in time Microsoft is going to disable the legacy protocols anyway. The procedure for this setup can be found here: Modern Authentication Setup

As a result, when we run Veeam Backup for Microsoft Office 365 v4c without the usage of Legacy Authentication protocols, we can’t access the legacy API’s. This results into the following list of limitations when running with Modern authentication only:

1. Discovery Search and Public Folder mailboxes are not supported.
2. Dynamic Distribution groups are not supported. *
3. The type property for shared and resource/equipment mailboxes cannot be resolved. Such mailboxes will be available for backup with a general ‘User’ type. **
4. SharePoint Web Parts can only backed up if their ‘exportmode’ property is enabled. Non exportable Web Parts are not supported.
5. OneNote restore is not supported.
6. SharePoint Web Part customized template cannot be preserved upon a restore. All Web Parts will be restored with the default template.
7. The ‘Allow multiple responses’ setting in survey lists within team modern sites is not preserved upon a restore.
8. The ‘Measure-VBOOrganizationFullBackupSize’ cmdlet is not supported.

* We advise you to migrate/upgrade “Dynamic Distribution groups” into “Microsoft 365 Groups” which can also be filled dynamically

** There is an example script available on GIthub to overcome this limitation: https://github.com/VeeamHub/powershell/tree/master/VBO-IncludeSpecificRecipientTypes .

If these limitations and workarounds are not acceptable, then you need to enable the legacy protocols which requires backup accounts and require you to enable the legacy authentication protocols within your Microsoft 365 tenant. The procedure for this can be found here: https://helpcenter.veeam.com/docs/vbo365/guide/adding_o365_organizations.html?ver=40

External Resources

• Veeam HelpCenter - Veeam Backup for Microsoft Office 365 User Guide
  • Authentication Methods.
  • Modern Authentication Setup
• Github - Example script to Include Specific Recipient Types