Home » Cloud » Azure AD User creation for a service account with MFA enabled

Azure AD User creation for a service account with MFA enabled

Azure AD User creation can be paired with Multi Factor Authentication (MFA). It allows to design dedicated user accounts to perform specific tasks. Usually, such user accounts are deployed as part of service applications that require access to other objects like Databases, Mailboxes, Sites and plenty of other services. Therefore the name Service Accounts.

Veeam Backup for Microsoft Office 365 (VBO) makes no exception. The best practice is to create and assign a dedicated user which will act as Service Account. In particular for Exchange Hybrid deployments it is recommended to synchronize AD attributes (which includes Users as well) from an On-Premises deployment to the Online Azure AD. Microsoft provides a tool called Azure AD Connect. Previous articles covered the installation and configuration steps.

To further enhance security when accessing Apps and their content in the Microsoft Azure Cloud it is also possible to enable the MFA on the Tenant and user level. In this article the steps on how to create an Azure AD User which will be used to achieve the following:

  • create a separate Service Account dedicated to a specif Application to protect content (VBO)
  • assign the minimum privileges to perform the operations
  • enable the MFA for the Service Account


How to create an Azure AD User

From the main Dashboard > Azure Active Directory > Users the link to create a new Azure AD User.

domalab.com Azure AD User

From this step the option to set up the Name, Username and Password.  A temporary one can be generated as well.

domalab.com Azure AD User

From the main All Users view the new account is now available.

domalab.com Azure AD User

By selecting the intended Service Account and a click to Multi-Factor Authentication will open a new window to enable the MFA for specific accounts.

domalab.com Azure AD User

Next step is to enable the Multi Factor Authentication.

domalab.com Azure AD User

A message shows the status for the selected accounts.

At this point the Azure AD User can be selected as Service Account for the desired application. Since this Service Account will access other objects (eg. Mailboxes, Sites and OneDrive in order to protect and recover content) it is necessary to grant the minimum permissions to run such operations.

In the case of Microsoft Exchange this can be done through the Exchange Admin Center. The Permissions > Admin Roles provides the next steps by clicking on the “plus” button to add a new one.

In this instance a new permission called “Veeam” will be created. Next is to specify a Description, Scope (Default), the Roles that will be granted and also to which Users. In this case these will be granted to the chosen Service Account.

domalab.com Azure AD User


The following screenshot shows the minimum permissions required:

  • ApplicationImpersonation
  • Organization Configuration
  • View-Only Configuration
  • View-Only Recipients
  • Mailbox Search
  • Mail Recipients

In order to allow to this Service Account access to SharePoint Sites (Collaboration and other Templates and Personal ones) plus OneDrive in the Properties > Roles > Manage Roles the option for the desired settings.

In the case of SharePoint and OneDrive the SharePoint Administrator checkbox is required. Additionally, it is also possible to add the permission for Microsoft Teams sites Administrator.

At this point everything is ready to use the Azure AD User account with MFA enabled as Service Account in Veeam Backup for Microsoft Office 365 as detailed in the next article.


About the author

Michele Domanico

Passionate about Virtualization, Storage, Data Availability and Software Defined Data Center technologies. The aim of Domalab.com is sharing with the Community the knowledge and experience gained with customers, industry leaders and like minded peers. Always open to constructive feedback and new challenges.


Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Hi Michele!

    Thanks for the article! i am looking for a similar solution in my environment too. I couldn’t find the next article on how the “service/application” will actually use the account and how would it authenticate using MFA. Awaiting eagerly!

    • Hi Sam,
      thanks for your comment. It is a simple process and just a matter of editing the existing Organization and change the method to Modern Authentication using MFA. This article covers with a couple of screenshots including other new features as per Veeam VBO 3.0 https://domalab.com/vbo-beta-3-0-upgrade/
      Hope this helps.


  • Hi,

    Thanks for your helpful article. Do you have any recommendations on how to systematically differentiate between service accounts and people accounts? I want to use dynamic groups and I need an easy to to create filter criteria that says essentially “only people, no service accounts”.

    So far I’ve not found an elegant solution. Here are two:
    – Use a naming convention for the account: for example, svcHumanResource@….com
    – Use a naming convention in one of the given attributes. For example, create “HumanResources@…com” and put it in the “HR – Service Account” department.

    Both seem like a hack.

    • Hi Josh,
      thanks a lot for your comment! I agree both methods you mentioned work great and first one is my preferred too. Another one could be putting the service accounts into specific groups making it easier to include/exclude them when required.
      Another option could be to create a PowerShell script listing all Users (MailEnabled) and store them into a variable. Then pass this variable to other applications (for example to run backup). You could schedule this script and “refresh” the scope of your groups.
      I guess depending on size of environment and frequency of changes one method can be more suited than others.

      This is a script a customer used to add users to Veeam Backup for Office 365:

      Import-Module “C:\Program Files\Veeam\Backup365\Veeam.Archiver.PowerShell\Veeam.Archiver.PowerShell.psd1”

      Import-Module AzureAD


      $org = Get-VBOOrganization -Name “Demo”
      $job = Get-VBOJob -Name “TEST”
      $group = Get-AzureADGroup | Select ObjectID
      $users = Get-AzureADGroupMember -ObjectID $group.ObjectId -All$true | Select DisplayName

      foreach ($user in $users) {

      $x = Get-VBOOrganizationUser -Organization $org -Name$user.DisplayName

      Write-Host “Processing:” $x.DisplayName “(Office ID:” $x.OfficeId “| Username:” $x.UserName “)”

      $backupItemUser = New-VBOBackupItem -User $x -Mailbox:$true -ArchiveMailbox:$false -OneDrive:$false -Sites:$false

      Add-VBOBackupItem -Job $job -BackupItem $backupItemUser


      Hope it helps!
      I’m open to suggestions and feedback 🙂

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Browse articles

June 2023

Articles by Category


error: Content is protected !!
%d bloggers like this: