Skip to main content

Microsoft Entra access rights after M365 server update

Background

After the upgrade to the latest version, some permissions and roles need to be re-added to the Microsoft 365 organizations. 

How to get your application ID

Log in to the Service Provider Console at: https://veeam.speicherblock.at

Go to Configuration > Plug-in library > Veeam Backup for M365 Integration

Choose Organization and the Edit the organization that you need.

On the Application Settings tab, you'll see the Application ID.

image-1726767046358.png

How to add Application permissions in Azure

Log in to Azure portal at: https://portal.azure.com

Go to Microsoft Entra ID

image-1726766400572.png

In the search field, search for App registrations and click the button.

image-1726766568380.png

Find the application that has the Application ID that you saw on the console and click on it.

image-1726767222407.png

Search in the menu points for API permissions

image-1726767308335.png

You need to add the following permissions:

API Permission Type
Microsoft Graph ChannelMember.ReadWrite.All Application
Microsoft Graph ChannelMember.ReadWrite.All Delegated
Microsoft Graph Files.ReadWrite.All Application
Microsoft 365 Exchange Online Exchange.ManageAsApp Application

You can add the permission doing the following:

  1. click on the API name,
  2. choose between Application and Delegated permissions,
  3. search for the permission and Add it.

image-1726767718801.png

image-1726767765864.png

 

image-1726767782642.png

Do this for all the listed permissions and then add Admin consent by clicking on the Grant Admin consent button.

image-1726767870956.png

Click Yes on the confirmation prompt.

image-1726767884996.png

How to assign the required role

Log in to Microsoft Entra admin center at: https://entra.microsoft.com/

Choose Identity > Roles and admins

image-1726768113034.png

Search for Global Reader and click on it.

image-1726768140819.png

Under Assignements click +Add Assignment

image-1726768196093.png

Search for the Veeam application - you can recognize it by checking the ID in the Description field.

Add the role assignment.

image-1726768302661.png

Microsoft Teams public channel backup

Teams public channels are backed up using Microsoft Graph Export API. However, access to this API has been changed by Microsoft. Using this API comes with an additional cost, so you need to decide if you need this in your backup or not.

Original Veeam article to follow:

https://www.veeam.com/kb4322