How to create required security groups in Microsoft Entra ID for M365 backup powered by Veeam
TABLE OF CONTENTS
Description
This procedure explains how to create required security groups in Microsoft Entra ID (previously known as Azure AD). In most cases, our provisioning team will create required security groups when onboarding the service.
The purpose of the first (1st) security group is to delegate the "Restore Operator" role to users in the organization for M365 backup powered by Veeam using their own credentials.
The purpose of the second (2nd) security group is to exclude users of M365 backup powered by Veeam. In some use cases, you may want to exclude some user mailboxes from backup job(s).
Group members can be added at the group creation or at a later moment.
Important Notes
- Licensed users may take up to sixty (60) days to adjust when users are added to the group named “ExcludedUsersForM365BackupPoweredByVeeam” post backups execution.
- If there is no user to exclude from backup jobs, please create the group without any member.
- If you delegated the Microsoft Entra application deployment to our provisioning team, we will also proceed with the creation of required security groups.
- Please contact us if you create a dynamic group for exclusions post service setup as it won’t be taken into account automatically (even if the name is identical to the previous one).
- Avoid including distribution lists to the group named “ExcludedUsersForM365BackupPoweredByVeeam”. All members of these lists would be excluded from backups.
- A guest user cannot be used as a restore operator.
Definitions
Group owners :
Microsoft Entra (previously known as Azure AD) groups are owned and managed by group owners. Group owners can be users or service principals, and are able to manage the group including membership. Only existing group owners or group-managing administrators can assign group owners. Group owners aren't required to be members of the group.
Requirements
The user to use must have one of the following roles to create groups in Azure Active Directory: User administrator or Global administrator.
Procedure
- Go to https://portal.azure.com/ and log in using a user with sufficient permissions.
- Open Microsoft Entra ID (several ways to get there are possible)
- Click on Groups
- Click on New group
- Enter the following group name: DelegatedRestoreOperatorsForM365BackupPoweredByVeeam
Enter a group description. Example: Users in this security group can proceed with restores for the whole organization on M365 backup powered by Veeam.
Select allowed group member(s) to perform restores for the whole organization. If there is no delegated Restore Operators at this moment, do not add any member to the group.
Optional - Select group owner(s).
Then, click on Create.
- Repeat for the creation of the second (2nd) group.
Enter the following group name: ExcludedUsersForM365BackupPoweredByVeeam
Enter a group description. Example: Users in this security group will be excluded from backup jobs for M365 backup powered by Veeam.
Optional - Select group owner(s).
If there is no user to exclude at this moment, do not add any member to the group.
Then, click on Create.
Dynamic group
If you have many users and don’t want to handle multiple exclusions manually, you could also create a dynamic group named “ExcludedUsersForM365BackupPoweredByVeeam”. Here is a Microsoft article for more information on creating a dynamic group.
Please contact us if you create a dynamic group for exclusions post setup as it won’t be taken into account automatically (even if the name is identical to the previous one).
Reference
For more information on Microsoft Entra groups, please refer to the Microsoft documentation: https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups