Veeam VBM (v6)

What is VBM?
"Veeam Backup for Microsoft 365 (VBM) is a comprehensive solution that allows you to back up and restore data of your Microsoft Microsoft 365, on-premises Microsoft Exchange and on-premises Microsoft SharePoint organizations, including Microsoft OneDrive for Business."

BEC ("Business Email Compromise") attacks can be devastating. The average amount requested in wire transfer-based BEC attacks increased in 2020 from $48,000 in the third quarter to $75,000 in the fourth quarter." (source)
Microsoft Exchange Server attacks: 'They're being hacked faster than we can count'
SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
Cyber Chat: Protecting against conversation hijacking and phishing attacks - Oct 31, 2022 - 4 minute read
Microsoft Teams vulnerability allows attackers to deliver malware to employees - Zeljka Zorz - June 23, 2023
IT Contractor Sentenced to Two Years for Deleting Carlsbad Company’s Microsoft User Accounts

Shared Responsibility Model

"Microsoft 365 employs the “shared responsibility model,” which dictates that Microsoft is responsible for its own global infrastructure and ensuring that Microsoft 365 remains up and running, and its customers are responsible for the access and control of their data that resides within the Office 365 infrastructure". According to a recent Enterprise Strategy Group report, 1 in 4 businesses don’t believe they need to backup Microsoft 365. This conclusion often stems from backup misconceptions and responsibility confusion...

Microsoft's Responsibility: Uptime OF the cloud.
Customer's Responsibility: Access and control of data IN the cloud.

Note: "The average length of time from data compromise to discovery is over 140 days, yet default settings only protect for 30 to 90 days".

Live hacking in Office 365 (Video)! Don't get hooked!

"According to the software company Egress, 85% of organizations using Microsoft 365 have experienced an email data breach." (Source)

"After an email data breach, the vast majority (93%) of organizations using Microsoft 365 reported "suffering negative impacts," compared to 84% of non-Microsoft 365 users, according to Egress." (Source)

Data Protection Responsibilities...

Customer...

Human Error
Programmatic Errors
Malicious Insiders
External Hackers
Viruses/Malware

Microsoft...

Hardware Failure
Software Failure
Natural Disaster
Power Outage

Here Is 1 More Reason You Need to Back Up Microsoft 365. Do I Need to Be Concerned About Ransomware? Business | July 18, 2023

April 3, 2023 - 6 min read - The article discusses the importance of immutable backups for ensuring data protection and introduces a new feature in Veeam Backup & Replication that allows for immutable backups on Linux repositories. Immutable backups are backups that cannot be modified or deleted, ensuring that the data remains safe from threats such as ransomware. The article explains the benefits of using immutable backups and how they work in Veeam's Linux repositories. It also provides a step-by-step guide on how to set up immutable backups in Veeam Backup & Replication. - Veeam Backup for Microsoft 365 Best Practices

VBM server (Scheduler), Proxy (Data Mover), Repository (MS ESE/JET Blue database)

What about "Litigation Hold"?

Six Reasons for VBM...

Protect against accidental deletion of data.
Satisfy retention policy gaps and confusion.
Address internal security threats.
Address external security threats.
Satisfy legal and compliance requirements.
Manage hybrid email deployments and migrations to Office 365

Extra: 7 Reasons Why Microsoft 365 Backup is Critical - May 2 2022

Microsoft: "Point in time restoration of mailbox items is out of scope for the Exchange Online service, though there might be third-party solutions available that provide this functionality"

Recover from a ransomware attack in Microsoft 365
"Step 1: Verify your backups"
Email back up for ‘about half’ of Georgetown County staff following ransomware attack

Design Considerations...

How to test Exchange Online service connection performance using Microsoft Support and Recovery Assistant
45 Microsoft 365 recovery options with Veeam- May 4, 2022 - 4 min to read
Veeam: Veeam Backup for Microsoft 365 – Security Notifications for Restore operations (Modern Auth – Automated) - 5th August 2023
- "That is why I’ve created a simpled PowerShell script that will make your life much easier to configure OAuth on Audit operations for Veeam Backup for Microsoft 365"

Guide for updating Veeam Backup for Microsoft 365 - Sep 1, 2022, - 4 minute read

NEW: Veeam Backup for Microsoft 365 v6a – Teams Export API Previewed

NOTE: Backup for Microsoft 365 (Office 365): FREE for 10 users and 10 teams

Veeam announces it’s a Certified Backup & Restore provider for Microsoft Teams

Veeam Backup for Microsoft 365 delete OneDrive backup

$$$...
"NOTE: Veeam Backup for Microsoft Office 365 to capture a backup doesn’t take egress from M365, and placing the backups in Azure would be mostly ingest if the backup server is on-prem or another region from backup server, in addition some API charges can apply for “put” and “get” of data to Object Storage. If the backup product is deployed in Azure and sent to Object storage the ingress and egress charges will be minimal if all components are deployed in the same region because the data will not leave the Azure network. There will be some egress to read and put data into blob storage which can vary based on the type of data stored and the restore frequency."

HOL

HOL - Dive into VBM with a guided hands‑on lab experience. - Within 15 minutes, you will get a confirmation that your lab is ready. Once you submit your promo code you will have 3 hours to use the lab before it expires.

Item-level retention (object related) vs Snapshot-based retention

Item-level retention (object related)

Act like archive software
Items will be deleted if they were not created or modified f.e. within the last 3 years

Snapshot-based retention

Act like a backupfile
f.e. all files will be kept for 3 years
Items will be deleted only if they are expired and do not belong to a recovery point

"A backup repository will be extended with the specific object storage and backups will be off-loaded directly to object storage.

Once you configure a backup repository to offload data, it will consist of two parts:

Local folder, which contains metadata (JET DB)
Object storage, which contains the metadata and backups

When the backup job starts, the data first goes to the local cache, which is only stored in RAM memory, and afterwards is sent directly to the object storage. In the local cache we store the metadata to present the object directly via Veeam Explorer, but the content of the object itself (email body, attachment, appointment info, file contents…) is stored in the object storage.

Additionally, when you perform a restore via a Veeam Explorer you will get a notification if you are accessing data from Object Storage to warn you about potential costs. Below you can see how it looks for the Veeam Explorer for Microsoft Exchange when you open a restore point."

More information on VBM (Click here)

Non-Technical Information...

V5 Scalability and performance enhancements...
Addressing the needs of larger and growing organizations, version 5 delivers multiple architectural enhancements and processing optimizations to provide better scalability, simplified management and faster backups and restores.

5X backup infrastructure scalability increase is delivered with the support of up to 50 remote proxies per a single backup server.
Workgroup environment support addresses the needs of cloud deployments and releases the domain requirement for Veeam Backup for Microsoft Office 365 components. Additional remote proxies can now be deployed in workgroups, allowing for easier management and scaling up your backup infrastructure.
Faster population of objects in the backup job wizard reduces to minutes the time for creating or editing backup jobs via the UI for Office 365 organizations with more than 100,000 users, groups and sites. Additionally, searching for individual objects is now performed directly on the Azure AD side, which significantly speeds up finding a specific user, group or site you want to protect.
2X faster backup data migration to object storage from local repositories.
Faster backup and more efficient digesting of massive SharePoint Online sites achieved through parallel processing of individual lists and improved handling of failed items within lists.
Faster management operations and improved UI responsiveness for larger-scale deployments achieved with the optimized communication between backup infrastructure components.
Thousands of backup repositories, OneDrive accounts and Exchange items represented within seconds with the optimized RESTful API calls.
The information on space used on thousands of backup repositories is delivered within seconds with the optimized PowerShell cmdlets.

Technical Design and Architecture...

Technical Details...

Looking for the Perfect Dashboard: InfluxDB, Telegraf, and Grafana – Part XL (Veeam Backup for Microsoft 365 – Restore Audit)

Common support questions/permissions/MFA (Click here)

How to automate adding Veeam Backup for Microsoft 365 Auxiliary accounts (Click Here)

Posted: 07 May 2021 08:51 AM PDT

Veeam Backup for Microsoft Office 365 is subject to throttling rules placed on SharePoint sites. These rules limit traffic speed for any item downloaded per user from any SharePoint site or OneDrive for Business on Microsoft servers. These throttling rules generally go unnoticed in day-to-day use of the cloud product but can drastically limit backup recovery point objectives. Veeam has a solution to this problem in the way of Auxiliary backup accounts.

Auxiliary backup accounts provide a form of load balancing from SharePoint and OneDrive for Business servers through multiple Microsoft account invitations. Since each account can generally back up at the maximum defined throttling speed, the overall backup job completes exponentially faster. This will also speed up the backup of data that resides on SharePoint in the backend, like Microsoft Teams. Creating multiple user accounts in Microsoft Office 365 and then adding them to the Veeam Backup for Microsoft Office 365 console can take time and patience. It is also found when someone needs to do a repetitive task by hand; things like security might be overlooked to save time, like setting each account with the same password.

All of these points bring us to the reason for this blog, a PowerShell script that makes as many accounts as you want and sets a secure, unique password for Veeam Backup for Microsoft Office 365 version 5 for each account. This script was built for basic authentication. If the organization requires modern app-only authentication, then mitigating throttling Microsoft Azure AD applications will be needed. More information can be found in our user guide.

Getting started...

Before creating any accounts, there are a few things to consider. The script will need to be run from the Veeam Backup for Microsoft Office 365 server so that the users can be added to the console. When creating users to add into the Veeam Backup for Microsoft Office 365 console, they will be added via a security group, so the account used to run the script will need to be an administrator account in Office 365 with enough permissions to create users and groups then add them to that group. In the script, the number of accounts can be configured to whatever is needed for the organization. The script can also be re-run with increased numbers to add more users if needed. It is the recommendation to start at eight accounts per proxy added to the console for the organization, then monitor for any signs of continued throttling in the job. Examples of signs you’re still being throttled are getting 503 errors in the logs or if the console jobs seem to process significantly faster at the start of the job run then slow down as time goes on.

If there are still signs of OneDrive for Business or SharePoint sites being throttled in the job, then increase the number of accounts in increments of eight until the issue is resolved. The script has been designed to follow this model with the variables. The $ProxyCount only needs the number of proxies added in the console, and the math will be done in the background. If additional accounts are needed, then use the variable.

How to run the script...

Before running the script below, three variables must be filled in.

$ProxyCount will signify the number of proxies added to the Veeam Backup for Microsoft Office 365 console used for that organization.
$AzureAdmin needs to be a Microsoft 365 account admin with add and modify permissions for users and groups.
$VBOOrg is the organization’s name as it appears in the Veeam Backup for Microsoft Office 365 console.

If you need additional accounts, use the $AdditionalAccountSets variable. With this variable, you only need to increase the number by one increment to get an additional eight accounts. For example, if you increase the number to 10, the script will create an additional 80 accounts.

Create Auxiliary Backup Accounts script.

How to remove the accounts

There are many reasons to need the removal of data, including users, from Microsoft Office 365. Below is a script that will clear all accounts and the group created from the script above. These users will be removed from both the active user list and the recycling bin. The only variable that needs to be filled out in this script is $AzureAdmin for the account used to delete the users.

Remove Auxiliary Backup Accounts script.

Conclusion...

Throttling from Microsoft can be a significant cause of job performance issues when processing SharePoint sites and OneDrive for Business objects, but adding backup auxiliary accounts can help alleviate this bottleneck and can be made easy by using the scripts mentioned above. If adding more accounts does not give a noticeable difference in backup efficiencies, then the problem might not be Microsoft throttling. Many other factors can also affect performance, like under-provisioned resources on the server or proxies, slow storage processing for the backup and network constraints, including internet connection.

Check out our Deployment Guide or the Best Practice Guide to ensure the components are appropriately provisioned and open a case with support if the issues persist. Please keep in mind that troubleshooting scripts is outside the support contract. Alternatively, Veeam has a great community on the forums to help with any Veeam-related script issues.

To get started with Veeam Backup for Microsoft Office 365, begin a FREE 30-day trial today!

The post How to automate adding Veeam Backup <em>for Microsoft Office 365</em> Auxiliary accounts appeared first on Veeam Software Official Blog.

REALLY COOL Jorge de la Cruz content (Click Here)

Jorge de la Cruz - Senior Analyst at Veeam Software