Azure AD User creation can be paired with Multi Factor Authentication (MFA). It allows to design dedicated user accounts to perform specific tasks. Usually, such user accounts are deployed as part of service applications that require access to other objects like Databases, Mailboxes, Sites and plenty of other services. Therefore the name Service Accounts.
Veeam Backup for Microsoft Office 365 (VBO) makes no exception. The best practice is to create and assign a dedicated user which will act as Service Account. In particular for Exchange Hybrid deployments it is recommended to synchronize AD attributes (which includes Users as well) from an On-Premises deployment to the Online Azure AD. Microsoft provides a tool called Azure AD Connect. Previous articles covered the installation and configuration steps.
To further enhance security when accessing Apps and their content in the Microsoft Azure Cloud it is also possible to enable the MFA on the Tenant and user level. In this article the steps on how to create an Azure AD User which will be used to achieve the following:
- create a separate Service Account dedicated to a specif Application to protect content (VBO)
- assign the minimum privileges to perform the operations
- enable the MFA for the Service Account
How to create an Azure AD User
From the main Dashboard > Azure Active Directory > Users the link to create a new Azure AD User.
From this step the option to set up the Name, Username and Password. A temporary one can be generated as well.
From the main All Users view the new account is now available.
By selecting the intended Service Account and a click to Multi-Factor Authentication will open a new window to enable the MFA for specific accounts.
Next step is to enable the Multi Factor Authentication.
A message shows the status for the selected accounts.
At this point the Azure AD User can be selected as Service Account for the desired application. Since this Service Account will access other objects (eg. Mailboxes, Sites and OneDrive in order to protect and recover content) it is necessary to grant the minimum permissions to run such operations.
In the case of Microsoft Exchange this can be done through the Exchange Admin Center. The Permissions > Admin Roles provides the next steps by clicking on the “plus” button to add a new one.
In this instance a new permission called “Veeam” will be created. Next is to specify a Description, Scope (Default), the Roles that will be granted and also to which Users. In this case these will be granted to the chosen Service Account.
The following screenshot shows the minimum permissions required:
- ApplicationImpersonation
- Organization Configuration
- View-Only Configuration
- View-Only Recipients
- Mailbox Search
- Mail Recipients
In order to allow to this Service Account access to SharePoint Sites (Collaboration and other Templates and Personal ones) plus OneDrive in the Properties > Roles > Manage Roles the option for the desired settings.
In the case of SharePoint and OneDrive the SharePoint Administrator checkbox is required. Additionally, it is also possible to add the permission for Microsoft Teams sites Administrator.
At this point everything is ready to use the Azure AD User account with MFA enabled as Service Account in Veeam Backup for Microsoft Office 365 as detailed in the next article.
Hi Michele!
Thanks for the article! i am looking for a similar solution in my environment too. I couldn’t find the next article on how the “service/application” will actually use the account and how would it authenticate using MFA. Awaiting eagerly!
Hi Sam,
thanks for your comment. It is a simple process and just a matter of editing the existing Organization and change the method to Modern Authentication using MFA. This article covers with a couple of screenshots including other new features as per Veeam VBO 3.0 https://domalab.com/vbo-beta-3-0-upgrade/
Hope this helps.
Regards,
Michele
Hi,
Thanks for your helpful article. Do you have any recommendations on how to systematically differentiate between service accounts and people accounts? I want to use dynamic groups and I need an easy to to create filter criteria that says essentially “only people, no service accounts”.
So far I’ve not found an elegant solution. Here are two:
– Use a naming convention for the account: for example, svcHumanResource@….com
– Use a naming convention in one of the given attributes. For example, create “HumanResources@…com” and put it in the “HR – Service Account” department.
Both seem like a hack.
Hi Josh,
thanks a lot for your comment! I agree both methods you mentioned work great and first one is my preferred too. Another one could be putting the service accounts into specific groups making it easier to include/exclude them when required.
Another option could be to create a PowerShell script listing all Users (MailEnabled) and store them into a variable. Then pass this variable to other applications (for example to run backup). You could schedule this script and “refresh” the scope of your groups.
I guess depending on size of environment and frequency of changes one method can be more suited than others.
This is a script a customer used to add users to Veeam Backup for Office 365:
Import-Module “C:\Program Files\Veeam\Backup365\Veeam.Archiver.PowerShell\Veeam.Archiver.PowerShell.psd1”
Import-Module AzureAD
Connect-AzureAD
$org = Get-VBOOrganization -Name “Demo”
$job = Get-VBOJob -Name “TEST”
$group = Get-AzureADGroup | Select ObjectID
$users = Get-AzureADGroupMember -ObjectID $group.ObjectId -All$true | Select DisplayName
foreach ($user in $users) {
$x = Get-VBOOrganizationUser -Organization $org -Name$user.DisplayName
Write-Host “Processing:” $x.DisplayName “(Office ID:” $x.OfficeId “| Username:” $x.UserName “)”
$backupItemUser = New-VBOBackupItem -User $x -Mailbox:$true -ArchiveMailbox:$false -OneDrive:$false -Sites:$false
Add-VBOBackupItem -Job $job -BackupItem $backupItemUser
}
Hope it helps!
I’m open to suggestions and feedback 🙂