Before we can setup the backup job for your Office 365 organization, we require a user account to tie into your environment. This account does not require an Office 365 license.
Please note that this article is part of our O365 Quickstart documentation. Please review all the steps to ensure you have all the components in place for this step.
Please be mindful that if you have any additional security feature enabled in your Office 365 tenant then this account would have to be excluded from them.
If you are using Conditional Access to limit the IPs that are allowed access to your O365 tenant please pass that information to your iland Project Manager so we may provide you with the IPs of the iland site that would need to be allowed access to your tenant.
If you are enforcing MFA you must follow the Setting up Modern Authentication section.
To be able to backup SharePoint Online sites we need you to allow access to apps that don't use modern authentication. This can be done in the SharePoint Admin Center:
Go to Policies / Access Control, then click on Apps that don't use modern authentication and select Allow access and click Save
Alternatively, you can use the SharePoint Online Management Shell:
Connect-SPOService -Url "https://TENANTID-admin.sharepoint.com
Set-SPOTenant -LegacyAuthProtocolsEnabled $True
1. After logging into the Office 365 admin center, navigate to Users / Active users in the menu on the left. The click the Add a user button.
2. In the Add user interface specify the name and password of the user. Make sure to not select “Require this user to change their password when they first sign in” as that would prevent iland from login in from the Veeam backup software.
3. The user doesn’t require a license assigned in the Product licenses section.
4. The user must have the SharePoint administrator role assigned.
Note: The easiest setup would be to provide this account with Global administrator permissions. If you do not wish to provide these permissions to the account the remainder of this tutorial will guide you through setting up an account with the minimum required permissions
5. Please review all settings and create the user account.
6. To specify the exact Exchange permissions that we will assign to the new user, we need to switch to the Exchange admin center where you will find the permissions section. In the admin roles screen click on the 'plus' button:
One of the features introduced in Veeam Backup for Office 365 is the ability to use Modern Authentication. This will enable you to use MFA with the account provided to iland. This requires you to create an app and provide iland with the app ID, client secret and app password for the user created above.
1. In the Azure Active Directory admin center navigate to Azure Active Directory, select App registration and click on New registration.
2. All you need to do is provide a name and click Register.
3. Once the app registration is created, you can take a note of the Application ID as that is one of the details you will need to share with us.
4. In the Certificates and secrets section please use the option New client secret to generate the secret associated with the app registration that will be shared with iland.
5. You will need to amend the permissions of the App registration. Go to the API permissions tab and click on Microsoft Graph, as we will need to add two more permissions to that element.
The thing to take into account is that those permissions need to be added as Application permissions, not delegated permissions. Please select the appropriate option before clicking Update permissions.
6. Once the permissions were added you will need to click the box to Grant admin consent for the application registration.
7. In order to provide us with an app password please log in to the Office 365 admin center using the account created earlier and select the user icon in the upper right corner. Select the My account option.
8. In the My account page select Security and privacy, then click on Additional security verification and click on Create and manage app passwords.
Note: This options will only appear for an account that has been setup to use MFA.
9. Use the Create button to generate a new app password.
10. Once created you will see the name specified when generating the password.
To sum up, the details the iland project team will require to setup the Office 365 backup job are:
You will use the same username and app password to recover your data.
If you would like to backup a subset of your users and not the entire organisation you will need to create a security group and provide its name to the iland Project manager. Backing up a security group gives to the flexibility to manage which users are being backed up as you can update group membership at your leisure. For customers that want to backup a subset of their users AND all of their SharePoint Online team sites, we recommend creating an EXCLUSIVE security group (i.e. users that you do not want to be backed up). For customers that want to backup and a subset of their users AND NOT all of their SharePoint Online team sites, we recommend creating an INCLUSIVE security group (i.e. users that you do want to be backed up).