Veeam: How to create additional administrators to access the Veeam Backup for Microsoft Office 365 Console

Greetings friends, I have told you many times all the advantages that Veeam Backup for Microsoft Office 365 has, also remember that it allows you to protect 10 users, with 1TB of SharePoint, free and forever, I leave you some of the previous entries:

Today we will see a topic that many people ask me, how can we create additional administrators that have access to the console.

Diagram of Administrators accessing Veeam Backup for Microsoft Office 365 Server

This is what an environment of several administrators accessing their local Veeam Backup for Microsoft Office 365 Server consoles would look like:

Create additional administrators, grant permissions, and restrict remote access

When we are talking about additional administrators for Veeam Backup for Microsoft Office 365, we are talking about Local Admins. Since for now, Veeam has no other way to restrict these privileges. I leave you with a simple PowerShell so you can create your users and put them into the Local Admins group:

$Password = Read-Host -AsSecureString
New-LocalUser "MIADMIN2" -Password $Password -FullName "ADMIN2" -Description "ADMIN 2 for VBO
Add-LocalGroupMember -Group Administrators -Member MIADMIN2

This will allow us to create a password, which is assigned to the user we want to create, and we put that user in the group of Administrators, so far so good. But what if we don’t want these VBO Administrators to be able to connect via Remote Desktop, or access the VMware Console, for example, we will have to edit the default GPO and add these users to these two policies, I leave you with an example.

In Computer Configuration – Windows Settings – Security Settings – Local Policies – User Rights Assignment:So if this administrator, or administrators, want to connect by Remote Desktop, or by console, they will see the following:Surely there are more policies that we can include apart from these two, if you know them all, please leave a comment. At least we can limit a little with these steps.

Another very simple option is to have all the ports closed, except for those necessary for the correct functioning of Veeam Backup for Microsoft Office 365, for example, port 9191 from the outside to the server is to be used to open the Console.

Necessary components in each Administrator

Each Administrator will need a series of components to remotely access Veeam Backup for Microsoft Office 365 Server, it is really very simple and we can find the installation package on the Veeam website:Once we download the package to each desktop of one of these administrators, we will run the installer that says Veeam Backup 365:

When selecting which components we want to install, we will only need the console, if we want to use some of the cool things that have PowerShell, leave it, if not I recommend not to install it:

If we go to the start menu and look for “Veeam Backup” we will find our Veeam Backup for Microsoft Office 365 console.

Access the Console with our different Administrators

Well, that’s it, once we open the console, we access it with our new administrators:And we will be able to see all our jobs, create more, delete them, see statistics, generate reports, etc.In case we would also like to launch restorations of Exchange, SharePoint, OneDrive, or Teams, we will have to install the Explorers on each Administrator’s computer:

How to Monitor and get visibility of each Administrator’s recovery tasks

Of course, Veeam Backup for Microsoft Office 365, stores all the information of what each Administrator does with the product, in a format of security logs, which can be checked very easily within History – Restore, for example:If you want something more elegant and automated, I have already left you a Grafana Dashboard that works great for this type of visualization:

That’s all folks, I hope you like it, and you can use this post.

Author: jorgeuk

Father, writing in and Blogger, Systems Engineer @veeam - vExpert 2014/2020 & NTC 2018/19

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.