No Admin Rights
"Well, that's a new error…"

Veeam for Office 365 and Two-Factor Authentication

Adam Infrastructure/Virtualization September 24, 2018

Ah, the pain in the butt joy that is Two-Factor Authentication! Safe, secure, and of course, only works with half the applications you need it to. In this case, compatibility between Microsoft Office 365 and Veeam Backup for Office 365. As of this post, Version 2.0 is NOT compatible with 2FA currently, however that is being evaluated for future versions. 

Two the question at hand tho, what are our options if using 2FA, and wish to have a secure environment? There are a few options, but I’ve detailed one that balances security with usability, which I will detail below. However, if you have discovered any other notes about this, please leave a comment!

Setup:

Create a non-2FA account solely for backup in your Microsoft Office 365 Admin Portal. This is typically standard procedure, or should be, but you would be amazed how many companies do not do this. To use Veeam in this case:

  • Create a standard, Office 365 account specifically for backup. You may name it whatever you wish, but it must have a license for Exchange Online. 
  • Give it a highly complex password (duh). 
  • Set up organization roles. This is key; there are very specific roles that the account requires. Obviously an org admin would have the same permissions, but giving this account admin privileges would defeat the entire purpose of using 2FA in your organization! The easiest method to do this is login to your Exchange Online org via Powershell with an admin account, and add the roles to the account using the command:
New-ManagementRoleAssignment –Role <insert role> –User "Veeam"
  • Roles to be added:
    • ApplicationImpersonation
    • Organizations Configuration
    • View-Only Configuration 
    • View-Only Recipients 
    • MailboxSearch or MailRecipients
  • Lock down the account. 
    • In the Office 365 Admin Portal, under Mail Settings>Email Apps for the account, shut off everything. 
    • Hide from the Global Address List. 

Finally, using the wizard in Veeam Backup for O365, add the account credentials and test. If you get a error, check your roles to confirm the user account is added to all of them. 

Get-ManagementRoleAssignment –User "Veeam"

I hope this helps!

-Adam 

Tags: , ,

About: Adam

One thought on “Veeam for Office 365 and Two-Factor Authentication”

Leave a Reply

Your email address will not be published. Required fields are marked *