How I Fixed "Unauthorized" Errors After Upgrading from Veeam VBO v4 to v5
After I upgraded from Veeam Backup for Microsoft Office 365 v4 to v5 I ran into a weird issue where some of my Azure AD permissions were missing. It manifested as a backup job log that looked like this...
Now I know this was working in v4 since I actually took a fresh backup right before upgrading. This had me scratching my head. First, I tried to resolve this issue by resetting the app passwords for my service accounts. No luck.
Next, I decided to edit my organization and re-authenticate. When I get to the part where I have just entered my Exchange Online credentials and it's trying to verify, I get an error that suggests I'm missing a required permission. Now I'm getting somewhere!
So I head over to Azure AD > App registrations and select my VBO Application.
Next I select API permissions and sure enough... the required Exchange API permission is missing as well as the required SharePoint permissions. A little odd it was working before the upgrade, but no big deal, I'll just add them now. You can see Veeam's documentation about which permissions are required here in the User Guide.
Here's where things got a bit tricky. You may have gotten a clue when you saw the notice on the previous page; but it looks like Microsoft is making some changes to the API. When I click on Add a permission and then look for the Exchange API, it's no where to be found. I did some internet sleuthing and found a tip to look for it in the Supported legacy APIs section at the bottom; but not there either.
Well after quite a bit of digging, I finally found it. Here's the trick. Start by selecting APIs my organization uses and then type "Office 365 Exchange Online". This will filter down to the API you'll need to click. One thing that made this even more tricky is that just typing "Exchange" results in nothing. 😠
Now select Application permissions, place a check mark next to full_access_as_app, and then Add permissions.
Add the missing SharePoint permissions in the same way, except that you won't have to go searching for the Sharepoint API. It's still listed right there under Microsoft APIs.
I've added the permission to my AD app, but I still have to grant admin consent.
Head over to Azure AD > Enterprise Applications and select the Veeam application for VBO and then Permissions. Click Grant admin consent... to start the process.
You'll get a login window that should show the new permissions we're granting. Verify and click Accept.
Head back to the Permissions page and refresh to see the Office 365 Exchange API now in the list with Admin consent.
With the permissions reset, I go retry the edit account wizard and success! I try again to run a backup and this time it works flawlessly.