Permissions, Permissions, Permissions!

Nov 10, 2020

These are unfortunately critically important when it comes to managing access to, well just about anything. With the ever-evolving security landscape, 2FA and MFA are becoming the go to when managing secure access to systems. This also however brings a certain level of pain when vendors constantly make security related changes and one such case is when backing up Public Folders in Office 365 using Veeam Backup for Office 365.

Microsoft recently made some backend changes to Office 365, resulting in the Default User Does Not Have Sufficient Permissions. This requires changes to be made to both the VBO backup proxy servers as well as O365 permissions. Veeam Backup for Microsoft Office 365 uses impersonation to back up public folders. When a public folder is created, it automatically inherits permissions from its parent folder. One of these permissions is assigned to the Default user and grants the Author access rights. In case when an Exchange administrator revokes granted permissions from the Default user, impersonation cannot be performed.

In case you do not want the Default user to have access to public folders and want to use the service account instead, make sure to assign either the Owner or Reviewer permissions to each of the public folders of the service account. To see the accounts that have access to public folders and the permissions given, run the following cmdlet and specify credentials used in Veeam Backup for Microsoft Office 365.

$creds = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection
Import-PSSession $Session
Get-PublicFolder \ -Recurse |
Get-PublicFolderClientPermission |
Select-Object Identity,@{Expression={$.User};Label="User";},@{Expression={$.AccessRights};Label="AccessRights";} |
Export-Csv C:\PublicFolderClientPermission.csv
Remove-PSSession $session

The cmdlet saves information about users and permissions to the C:\PublicFolderClientPermission.csv file.

To grant access, you can do either of the following:
• Assign either the Owner or Reviewer permission to each of the public folders (and sub-folders) of the Default user.
• Add your service account to public folders with the Owner or Reviewer permissions and disable impersonation.
• To assign permissions, run the following cmdlet and specify credentials used in Veeam Backup for Microsoft Office 365.

$creds = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection
Import-PSSession $Session
$folders = get-publicfolder "" -recurse
foreach($folder in $folders)
{
Add-PublicFolderClientPermission -Identity $folder.identity -user YourServiceAccount@*******.onmicrosoft.com -AccessRights Reviewer
}
Remove-PSSession $session

It is recommended to use PowerShell to assign permissions to public folders.

The following table shows an example of users permissions after the cmdlet is executed.

Once the cmdlet is executed, make sure to disable impersonation for the service account. After impersonation is disabled, the service account will have direct access to public folders.

To disable impersonation, do the following:

  1. Open the Veeam Backup for Microsoft Office 365 console and stop active backup jobs (if any).
  2. Open the Services.msc console on a proxy server that is responsible for processing public folders.
    To find out which proxy server is used, in the Veeam Backup for Microsoft Office 365 console, right-click a backup job, select Edit and go to the Specify Backup Proxy and Repository step.
  3. In the Services.msc console, stop the Veeam Backup Proxy for Microsoft Office 365 Service.
  4. Create a backup copy of the C:\ProgramData\Veeam\Backup365\Proxy.xml file by copying it to another location.
  5. Open the original Proxy.xml file using any text editor and add the line between  tags.
  1. Save the Proxy.xml file.
  2. Start the Veeam Backup Proxy for Microsoft Office 365 Service.
  3. Open the Veeam Backup for Microsoft Office 365 console and run backup jobs with public folders.

If you are already using the vBridge VBO service, we have made the required changes to our Proxy Servers, so if you see errors in your backup job logs that look like this:

Processing mailbox Mailbox1_########@.onmicrosoft.com failed with error: Failed to access public folders.. An internal server error occurred. The operation failed., Mailbox must be accessed as owner. Owner: ####; Accessing user: /o=ExchangeLabs/ou=Exchange Administrative Group (####)/cn=Recipients/cn=-Mailbox1

Follow the above steps to get your permission settings in O365 right.

Rob Green

Rob originates from SA and delivers a great double-billing as Operations Manager & Information Security Manager