Home » CLOUD » Azure » Azure AD User creation for a service account with MFA enabled

Azure AD User creation for a service account with MFA enabled

Azure AD User creation can be paired with Multi Factor Authentication (MFA). It allows to design dedicated user accounts to perform specific tasks. Usually, such user accounts are deployed as part of service applications that require access to other objects like Databases, Mailboxes, Sites and plenty of other services. Therefore the name Service Accounts.

Veeam Backup for Microsoft Office 365 (VBO) makes no exception. The best practice is to create and assign a dedicated user which will act as Service Account. In particular for Exchange Hybrid deployments it is recommended to synchronize AD attributes (which includes Users as well) from an On-Premises deployment to the Online Azure AD. Microsoft provides a tool called Azure AD Connect. Previous articles covered the installation and configuration steps.

To further enhance security when accessing Apps and their content in the Microsoft Azure Cloud it is also possible to enable the MFA on the Tenant and user level. In this article the steps on how to create an Azure AD User which will be used to achieve the following:

  • create a separate Service Account dedicated to a specif Application to protect content (VBO)
  • assign the minimum privileges to perform the operations
  • enable the MFA for the Service Account

 

How to create an Azure AD User

From the main Dashboard > Azure Active Directory > Users the link to create a new Azure AD User.

domalab.com Azure AD User

From this step the option to set up the Name, Username and Password.  A temporary one can be generated as well.

domalab.com Azure AD User

From the main All Users view the new account is now available.

domalab.com Azure AD User

By selecting the intended Service Account and a click to Multi-Factor Authentication will open a new window to enable the MFA for specific accounts.

domalab.com Azure AD User

Next step is to enable the Multi Factor Authentication.

domalab.com Azure AD User

A message shows the status for the selected accounts.

At this point the Azure AD User can be selected as Service Account for the desired application. Since this Service Account will access other objects (eg. Mailboxes, Sites and OneDrive in order to protect and recover content) it is necessary to grant the minimum permissions to run such operations.

In the case of Microsoft Exchange this can be done through the Exchange Admin Center. The Permissions > Admin Roles provides the next steps by clicking on the “plus” button to add a new one.

In this instance a new permission called “Veeam” will be created. Next is to specify a Description, Scope (Default), the Roles that will be granted and also to which Users. In this case these will be granted to the chosen Service Account.

domalab.com Azure AD User

 

The following screenshot shows the minimum permissions required:

  • ApplicationImpersonation
  • Organization Configuration
  • View-Only Configuration
  • View-Only Recipients
  • Mailbox Search
  • Mail Recipients

In order to allow to this Service Account access to SharePoint Sites (Collaboration and other Templates and Personal ones) plus OneDrive in the Properties > Roles > Manage Roles the option for the desired settings.

In the case of SharePoint and OneDrive the SharePoint Administrator checkbox is required. Additionally, it is also possible to add the permission for Microsoft Teams sites Administrator.

At this point everything is ready to use the Azure AD User account with MFA enabled as Service Account in Veeam Backup for Microsoft Office 365 as detailed in the next article.

Tags

About the author

Michele Domanico

Passionate about Virtualization, Storage, Data Availability and Software Defined Data Center technologies. The aim of Domalab.com is sharing with the Community the knowledge and experience gained with customers, industry leaders and like minded peers. Always open to constructive feedback and new challenges.

2 Comments

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Hi Michele!

    Thanks for the article! i am looking for a similar solution in my environment too. I couldn’t find the next article on how the “service/application” will actually use the account and how would it authenticate using MFA. Awaiting eagerly!

    • Hi Sam,
      thanks for your comment. It is a simple process and just a matter of editing the existing Organization and change the method to Modern Authentication using MFA. This article covers with a couple of screenshots including other new features as per Veeam VBO 3.0 https://domalab.com/vbo-beta-3-0-upgrade/
      Hope this helps.

      Regards,
      Michele

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Browse articles

December 2019
M T W T F S S
« Oct    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Articles by Category

Archives

%d bloggers like this: