Veeam: How to Enable the new Restore Portal (self-service) for Veeam Backup for Microsoft 365 v6

Greetings friends, a few days ago, I’ve prepared a really detailed Blog post with the release of Veeam Backup for Microsoft 365 v6. I have received around dozen messages, either via LinkedIn, or even internal colleagues asking how to enable the Restore Portal (self-service). So I have decided to document the required steps to enable a key functionality like this.

What does the Topology look like for a big environment using Restore Portal?

The moving parts that will take action on the Restore Portal are the next:

• Veeam Backup for Microsoft 365 server
• Veeam Backup for Microsoft 365 RESTful API Service
• Microsoft 365 organization
• Restore Portal
• Veeam Backup Proxy for Microsoft 365 Service

One of the important things to understand is that the components are meant to be distributed in order to scale out the design. (Please note I have not added Repositories or Proxies to this diagram, it is just for Self-Service Portal).

For example, this diagram shows a very high-level design with three moving parts, the VBM Server itself, usually on a protected Network like LAN, and then the VBM RESTful API + Restore Portal, which is on a public-facing network. The Restore Portal and the REST API components are always together.

For a bit smaller environments, you would be able to put all the services together, and perhaps add the Proxy/Repo on other computers. However, please be mindful that the System Requirements have changed and now as a minimum, the VBM 365 Server needs to have 8CPU/16GB RAM.

If I was deploying this into production, and a couple of hundred users would have access to the Restore Portal, I would be doing it already in a multi-server mode, 1 VBM365, 1RESTAPI+RestorePortal, X Proxies. I mean, we are exposing a 443 to the Internet, which is by default using a DMZ.

How-to Enable Veeam Backup for Microsoft 365 Restore Portal

Enable the new Restore Portal takes a few seconds, it just needs to be in a particular order, everything  needs to be done from the Options menu:

1. General Options – Authentication – Enable Restore Operator Authentication with Microsoft credentials + click Install on the SSL and produce a self-signed
   
2. Options – REST API – Enable REST service + click Install on the SSL and produce a self-signed (this is the one that it will get exposed to the clients, so a valid commercial SSL is always better to avoid calls, dramas, and “insecure look”)
   
3. Options – Restore Portal – Enable Restore Portal + click Install on the SSL and produce a self-signed
   
4. On the same tab, now Create Application, Name whatever you like + click Install on the SSL and produce a self-signed + Restore Portal web address, it needs to be like this https://yourvbofqdn:4443 – this is not your Azure Organization, neither your Office 365 domain tenant, this is the FQDN you want your clients to access, on my case for example it is https://vbo-v6.jorgedelacruz.es:4443 and on my browser, I can access that URL
   

Role-based access control on Veeam Backup for Microsoft 365 v6

According to Wikipedia:

In computer systems security, role-based access control (RBAC)^[1][2] or role-based security^[3] is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control (DAC).

Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC such as role-permissions, user-role and role-role relationships make it simple to perform user assignments.

So, based on this description, this is my personal opinion, I will say that Veeam Backup for Microsoft 365 v6 will allow RBAC, how?, I understand it like this:

A real-life example of Role-based access control on Veeam Backup for Microsoft 365 v6

If you want to see it on a diagram, with a bit more security, imagine we deploy the Veam Backup for Microsoft 365 on a Cloud Provider, like AWS, or Azure. Good practice across the different roles, access to perhaps a jumping box, etc. Hope this diagram helps you to understand a bit more the importance of different roles, etc.

Restore Operator Role

Tied to the previous functionality, of course, there is a new option on the Console called Restore Operator. This option will allow your organization to select specific individuals, or groups, once you have the groups, you can give them the scope they can restore when logging into the Self-Service Portal.

How-to Configure the Restore Operator Role

As per usual on any Veeam interface, just a few clicks and you are done, from the main console, click the main menu, then click Restore operator roles:

Kindly select the option Add restore operator roles:

Let’s introduce a name for this specific role, on my case I have selected for example Delegated Admin Role:

We can be granular and create different roles, for different Organizations (you might guess that this will be perfect for VCSP):

Then we will select the Restore Operator or Group of Restore Operators:

And give them the scope we require, a few SharePoint Sites, maybe some users, some groups, maybe some OneDrives, etc.

And that’s it, now we have a new Restore Operator Role created, we can create as many as we need. Once one of the Restore Operators login the Self-service portal, it will be available his/her own content, and the content that he/she has scope to restore as well.

Accessing the Restore Portal, and switching between the Scopes

If we head now to the FQDN we introduced when enabling the Restore Portal, we should see something similar to this:

When we introduce valid credentials, that means a user, or Restore Operator that Veeam Backup for Microsoft 365 v6 is protecting, it will automatically redirect to the Microsoft AD Auth, if it has MFA, it will ask for it, etc. Veeam Backup for Microsoft 365 v6 relies on that authentication to access the backups of that user or scope, or not.

If all happens without any issue, what the user will see next, is his/her own Mailbox Backup, OneDrive, and Personal Sites, and it can recover from the last valid restore point, back to his/her own Mailbox, to another folder, etc.

How does a Restore Operator switch between Scopes?

It is quite simple, on the top right, where the name of the user is, and only if they have assigned a Restore Operator Role with a Scope, then the next option will appear:

From here, a table with all the objects this user has Scope to restore will appear:

But do not worry, the Restore Operator can not export any of the files, or restore them to another user, etc. The Restore Operator Role could only restore back to the self-contained user/site it is accessing.

This will be an example of what the Restore Operator will see, or for that matters, any user triggering restores really:

Extra: Restore Portal loads, but when introducing valid user/pass appears AADSTS50011 – The Redirect URI error

This is a simple, but sadly a common mistake, and it is related to the point when we create the Restore Portal, to what URL/FQDN we use. As an example:

• I have created the Restore Portal with https://vbov6.jorgedelacruz.es:4443
• An experienced user that knows the IP of that server tries to open the Restore Portal using https://IPOFMACHINE:4443 <– They will see this error

Issues like this are simple to debug, just use the very same FQDN used to create the Restore Portal, if in doubt. You can create the Restore Portal App as many times as you need 🙂

I hope you like this blog entry, and it is useful for you.