How to set the required permissions for the infrastructure upgrade (planned in Mid-March 2025) for M365 Backup powered by Veeam
TABLE OF CONTENTS
Description
New permissions and a role must be granted to the Microsoft Entra application to backup and restore data of your Microsoft 365 organization with M365 Backup powered by Veeam.
This procedure explains how to set the new required permissions and role in Microsoft Entra ID to ensure the continuity of your backup service after the upgrade of the infrastructure planned in Mid-March 2025.
Requirements
The user to use must have one of the following roles to update permissions in Microsoft Entra ID: Application Administrator, Cloud Application Administrator or Global Administrator.
The user to use must have one of the following roles to update roles in Microsoft Entra ID: Privileged Role Administrator or Global Administrator.
Important Notes
Please note that the procedure below is automated for Microsoft tenants with a working GDAP (Granular Delegated Admin Privileges) relationship with Sherweb. For others, this procedure is mandatory. Tenants without a working GDAP relationship with Sherweb are contacted by email about this required change.
If required permissions are not properly configured before the upgrade of the infrastructure, you may receive warnings in your backup reports after the upgrade. Also, some backup and restore options may not be working properly.
Tenants (Microsoft accounts) implemented after the infrastructure update will automatically receive the appropriate permissions and will not need to follow this procedure.
Procedure
- Sign in to the Microsoft Entra admin center
- Browse to Identity > Applications > App registrations > All applications.
Use the search field to filter the “M365 Backup powered by Veeam” application. Then, click on the application named M365 backup powered by Veeam.
Note: If multiple applications named “M365 backup powered by Veeam” are found, proceed with steps below for all of them.
- Click on API permissions.
First permission to add
- Click on Add a permission
- Click on Microsoft Graph.
- Click on Delegated permissions
- Browse to ChannelMember, select ChannelMember.ReadWrite.All and click on Add permissions
Second permission to add
- Click on Add a permission
- Click on Microsoft Graph.
- Click on Application permissions
- Browse to ChannelMember, select ChannelMember.ReadWrite.All and click on Add permissions
Third permission to add
- Click on Add a permission
- Click on Microsoft Graph.
- Click on Application permissions
- Browse to Files, select Files.ReadWrite.All and click on Add permissions
Fourth permission to add
In some cases, this fourth permission could potentially already be there.
- Click on Office 365 Exchange Online
- Click on Application permissions
- Browse to Exchange, select Exchange.ManageAsApp and click on Update permissions
Grant admin consent
- Once all permissions are added on the application, click on Grant admin consent
- Select Yes and click on Save and continue.
- Confirm that all permissions are granted.
Granting Global Reader Role to Microsoft Entra Application
- Browse to Identity > Roles & admins > Roles & admins.
Use the search field to get the “Global Reader” role. Then, click on Global Reader.
- Click on Add assignments
- In the search field, type M365 Backup powered by Veeam. Select all applications named M365 Backup powered by Veeam and click on Add.
References
- https://helpcenter.veeam.com/docs/vbo365/guide/ad_app_permissions_sd.html?ver=80
- https://learn.microsoft.com/en-us/entra/identity-platform/howto-update-permissions?pivots=portal