Monday, March 4, 2019

Configure Veeam Backup for Microsoft Office 365 2.0

Scenario

  • An Office 365 tenant: no hybrid, just the cloud.
  • You want to back up the entire tenant to an on-premises storage, including OneDrive, SharePoint and Exchange.
  • We will use Veeam Backup for Microsoft Office 365 which is free for up to 10 users and 1TB of SharePoint data.

Prerequisites

  • Legacy authentication must be enabled in SharePoint Online:
    • Open SharePoint admin center > access control.
    • Switch Apps that don't use modern authentication to Allow.
    • Please wait for 15 to 30 minutes before you proceed. It takes a while for the change to take effect. If you receive The request failed with HTTP status 401: Unauthorized during a backup, confirm this setting.

Users and permissions

Make sure you have the following user accounts configured in Microsoft 365 admin center > Users > Active users:
  1. Backup account with correct permissions to SharePoint Online and Exchange Online.
    • See the required permissions below.
    • You can create a regular user account with the User (no admin access) role.
    • Multi-factor authentication must be disabled.
    • We will refer to this as backup.user.
  2. Admin user.
    • You must assign the Global administrator role.
    • Multi-factor authentication must be disabled.
    • We will refer to this as admin.user.
You fill find the required permissions here, but below is instructions for the ones we will need:
  1. Open PowerShell.
  2. Connect to Microsoft Online:
    > Connect-MsolService
    Log in as admin.user when prompted.
    • If you receive 'Connect-MsolService' is not recognized, you will first need to install and import the required modules:
      > Install-Module MSOnline
      > Install-Module AzureAD
      > Import-Module AzureAD
  3. Add the SharePoint Administrator role to backup user:
    > $role=Get-MsolRole -RoleName "SharePoint Service Administrator"
    > $accountname="backup.user@tenant.onmicrosoft.com"
    > Add-MsolRoleMember -RoleMemberEmailAddress $accountname -RoleName $role.Name
    • You can confirm the roles by typing:
      > Get-MsolUserRole -UserPrincipalName "backup.user@tenant.onmicrosoft.com"
  4. Add the required Exchange roles to backup user:
    > $UserCredential = Get-Credential
    Log in as admin.user when prompted.
    > $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    > Import-PSSession $Session
    > New-ManagementRoleAssignment –Role ApplicationImpersonation –User "backup.user@tenant.onmicrosoft.com"
    > New-ManagementRoleAssignment –Role "Organization Configuration" –User "backup.user@tenant.onmicrosoft.com"
    > New-ManagementRoleAssignment –Role "View-Only Configuration" –User "backup.user@tenant.onmicrosoft.com"
    > New-ManagementRoleAssignment –Role "View-Only Recipients" –User "backup.user@tenant.onmicrosoft.com"
    > New-ManagementRoleAssignment –Role "Mailbox Search" –User "backup.user@tenant.onmicrosoft.com"
    • If you receive The command you tried to run isn't currently allowed in your organization, you will first need to enable organization customization:
      > Enable-OrganizationCustomization
    • You can confirm the roles by typing:
      > Get-ManagementRoleAssignment -Role "ApplicationImpersonation"
      Change the last parameter for other roles.
The admin.user account is no longer needed if another admin account is in use. You can block it if you do not want to leave a non-multi-factor-authentication admin account around.

Configure Veeam

The backup software is fairly simple to use, so I will cover the steps more briefly.
  • Install Veeam Backup for Microsoft Office 365, Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft Exchange.
  • Open Veeam Backup for Microsoft Office 365 and log in with your Windows credentials (the Use Windows session authentication checkbox).
  • Optional: Configure the backup repository in Infrastructure > Backup repositories.
  • Add your organization in Organizations > Add Org.
    • If you are using Office 365 in Germany or China, check the "Use custom Veeam application to connect to Microsoft Graph" checkbox. Otherwise, like for me, uncheck it.
  • Configure a backup by right-clicking your organization and selecting "Backup".
    • Follow the self-explanatory setup wizard.

Troubleshooting


  • Failed to execute cmdlet: Get-OrganizationConfig
    • Please double check permissions for backup.user. You will receive this error if backup user cannot read the Exchange organization configuration.

Posted by at No comments:
Subscribe to: Posts (Atom)