How to create required security groups in Azure Active Directory for M365 backup powered by Veeam

Description

This procedure explains how to create required security groups in Azure Active Directory.
 

The purpose of the first (1st) security group is to delegate the "Restore Operator" role to users in the organization for M365 backup powered by Veeam using their own credentials.
 

The purpose of the second (2nd) security group is to exclude users of M365 backup powered by Veeam. In some use cases, you may want to exclude some user mailboxes from backup job(s).

Group members can be added at the group creation or at a later moment.

Important Notes

  • Licensed users may take up to sixty (60) days to adjust when users are added to the group named “ExcludedUsersForM365BackupPoweredByVeeam” post backups execution.

  • If there is no user to exclude from backup jobs, please create the group without any member.

  • If you delegated the Azure AD application deployment to our provisioning team, we will also proceed with the creation or required security groups.

Definitions

Group owners :
    

Azure Active Directory (Azure AD) groups are owned and managed by group owners. Group owners can be users or service principals, and are able to manage the group including membership. Only existing group owners or group-managing administrators can assign group owners. Group owners aren't required to be members of the group.

Requirements

The user to use must have one of the following roles to create groups in Azure Active Directory: User administrator or Global administrator.

Procedure

  1. Go to https://portal.azure.com/ and log in using a user with sufficient permissions.

    Graphical user interface, application

Description automatically generated
     
  2. Open Azure Active Directory (several ways to get there are possible)

    Graphical user interface, application, website

Description automatically generated
     
  3. Click on Groups

    Graphical user interface, application

Description automatically generated

  4. Click on New group

     
    Graphical user interface, text, application

Description automatically generated

     
  5. Enter the following group name: DelegatedRestoreOperatorsForM365BackupPoweredByVeeam
     

    Enter a group description. Example: Users in this security group can proceed with restores for the whole organization on M365 backup powered by Veeam.

    Select allowed group member(s) to perform restores for the whole organization. If there is no delegated Restore Operators at this moment, do not add any member to the group.

    Optional - Select group owner(s).

    Then, click on Create.

     
    Graphical user interface, text, application

Description automatically generated
     
  6. Repeat for the creation of the second (2nd) group.

    Enter the following group name: ExcludedUsersForM365BackupPoweredByVeeam

    Enter a group description. Example: Users in this security group will be excluded from backup jobs for M365 backup powered by Veeam.

    Optional - Select group owner(s).

    If there is no user to exclude at this moment, do not add any member to the group.

    Then, click on Create.

    Graphical user interface, text, application, email

Description automatically generated


Reference

For more information on Azure AD groups, please refer to the Microsoft documentation:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal