How to set the required permissions for the infrastructure upgrade (planned in Mid-March 2025) for M365 Backup powered by Veeam



TABLE OF CONTENTS

Description

New permissions and a role must be granted to the Microsoft Entra application to backup and restore data of your Microsoft 365 organization with M365 Backup powered by Veeam.


This procedure explains how to set the new required permissions and role in Microsoft Entra ID to ensure the continuity of your backup service after the upgrade of the infrastructure planned in Mid-March 2025.

Requirements

The user to use must have one of the following roles to update permissions in Microsoft Entra ID:  Application Administrator, Cloud Application Administrator or Global Administrator.

The user to use must have one of the following roles to update roles in Microsoft Entra ID:   Privileged Role Administrator or Global Administrator.

Important Notes

Please note that the procedure below is automated for Microsoft tenants with a working GDAP (Granular Delegated Admin Privileges) relationship with Sherweb. For others, this procedure is mandatory. Tenants without a working GDAP relationship with Sherweb are contacted by email about this required change.


If required permissions are not properly configured before the upgrade of the infrastructure, you may receive warnings in your backup reports after the upgrade. Also, some backup and restore options may not be working properly.


Tenants (Microsoft accounts) implemented after the infrastructure update will automatically receive the appropriate permissions and will not need to follow this procedure.

Procedure

  1. Sign in to the Microsoft Entra admin center



  2. Browse to Identity > Applications > App registrations > All applications.

    Use the search field to filter the “M365 Backup powered by Veeam application. Then, click on the application named M365 backup powered by Veeam.

    Note: If multiple applications named “M365 backup powered by Veeam” are found, proceed with steps below for all of them.

     
    A screenshot of a computer

Description automatically generated


  3. Click on API permissions.

     
    A screenshot of a computer

Description automatically generated
     



First permission to add

  • Click on Add a permission
     

    A screenshot of a computer

Description automatically generated

     
  • Click on Microsoft Graph.

    A screenshot of a computer

Description automatically generated
     
  • Click on Delegated permissions

    A screenshot of a computer

Description automatically generated

     
  • Browse to ChannelMember, select ChannelMember.ReadWrite.All and click on Add permissions

    A screenshot of a computer

Description automatically generated





Second permission to add

  • Click on Add a permission
     

    A screenshot of a computer

Description automatically generated

     
  • Click on Microsoft Graph.

    A screenshot of a computer

Description automatically generated
     
  • Click on Application permissions

     
    A screenshot of a computer

Description automatically generated

      
  • Browse to ChannelMember, select ChannelMember.ReadWrite.All and click on Add permissions

     
    A screenshot of a computer

Description automatically generated

 




Third permission to add

  • Click on Add a permission
     

    A screenshot of a computer

Description automatically generated

     
  • Click on Microsoft Graph.

    A screenshot of a computer

Description automatically generated
     
  • Click on Application permissions

     
    A screenshot of a computer

Description automatically generated

      
  • Browse to Files, select Files.ReadWrite.All and click on Add permissions
     

     
    A screenshot of a computer

Description automatically generated 



     

Fourth permission to add


In some cases, this fourth permission could potentially already be there.

  • Click on Office 365 Exchange Online
     

    A screenshot of a computer

Description automatically generated

     
  • Click on Application permissions

     
    A screenshot of a computer

Description automatically generated

 

  • Browse to Exchange, select Exchange.ManageAsApp and click on Update permissions

     
    A screenshot of a computer

Description automatically generated





  • Once all permissions are added on the application, click on Grant admin consent

    A screenshot of a computer

Description automatically generated


  • Select Yes and click on Save and continue.

    A screenshot of a computer

Description automatically generated


    A screenshot of a computer error

Description automatically generated


  • Confirm that all permissions are granted.

    A screenshot of a computer

Description automatically generated




Granting Global Reader Role to Microsoft Entra Application

 

  • Browse to Identity > Roles & admins > Roles & admins.

    Use the search field to get the “Global Reader” role. Then, click on Global Reader.

     A screenshot of a computer

Description automatically generated 

     
  • Click on Add assignments

     
    A screenshot of a computer

Description automatically generated
     


  • In the search field, type M365 Backup powered by Veeam. Select all applications named M365 Backup powered by Veeam and click on Add.

     
    A screenshot of a computer

Description automatically generated 

References