Azure AD User creation can be paired with Multi Factor Authentication (MFA). It allows to design dedicated user accounts to perform specific tasks. Usually, such user accounts are deployed as part of service applications that require access to other objects like Databases, Mailboxes, Sites and plenty of other services. Therefore the name Service Accounts.
Veeam Backup for Microsoft Office 365 (VBO) makes no exception. The best practice is to create and assign a dedicated user which will act as Service Account. In particular for Exchange Hybrid deployments it is recommended to synchronize AD attributes (which includes Users as well) from an On-Premises deployment to the Online Azure AD. Microsoft provides a tool called Azure AD Connect. Previous articles covered the installation and configuration steps.
To further enhance security when accessing Apps and their content in the Microsoft Azure Cloud it is also possible to enable the MFA on the Tenant and user level. In this article the steps on how to create an Azure AD User which will be used to achieve the following:
- create a separate Service Account dedicated to a specif Application to protect content (VBO)
- assign the minimum privileges to perform the operations
- enable the MFA for the Service Account
How to create an Azure AD User
From the main Dashboard > Azure Active Directory > Users the link to create a new Azure AD User.
From this step the option to set up the Name, Username and Password. A temporary one can be generated as well.
From the main All Users view the new account is now available.
By selecting the intended Service Account and a click to Multi-Factor Authentication will open a new window to enable the MFA for specific accounts.
Next step is to enable the Multi Factor Authentication.
A message shows the status for the selected accounts.
At this point the Azure AD User can be selected as Service Account for the desired application. Since this Service Account will access other objects (eg. Mailboxes, Sites and OneDrive in order to protect and recover content) it is necessary to grant the minimum permissions to run such operations.
In the case of Microsoft Exchange this can be done through the Exchange Admin Center. The Permissions > Admin Roles provides the next steps by clicking on the “plus” button to add a new one.
In this instance a new permission called “Veeam” will be created. Next is to specify a Description, Scope (Default), the Roles that will be granted and also to which Users. In this case these will be granted to the chosen Service Account.
The following screenshot shows the minimum permissions required:
- Organization Configuration
- View-Only Configuration
- View-Only Recipients
- Mailbox Search
- Mail Recipients
In order to allow to this Service Account access to SharePoint Sites (Collaboration and other Templates and Personal ones) plus OneDrive in the Properties > Roles > Manage Roles the option for the desired settings.
In the case of SharePoint and OneDrive the SharePoint Administrator checkbox is required. Additionally, it is also possible to add the permission for Microsoft Teams sites Administrator.
At this point everything is ready to use the Azure AD User account with MFA enabled as Service Account in Veeam Backup for Microsoft Office 365 as detailed in the next article.