Onboarding

(click to expand table of contents)

Workflow to add an Organization to Veeam Backup for Microsoft 365
- API calls involved in the above workflow
  - Step #2: POST /v6/DeviceCode
  - Step #6: POST /v6/Organizations

Workflow to add an Organization to Veeam Backup for Microsoft 365

The below workflow follows the process of adding an Organization with Modern App-Only Authentication. While these instructions were written for version 6.0, they can be applied to version 5.0 with minor changes to the API calls used.

Customer inputs data in custom portal/form (not Veeam)
- You can define the data collected in this form according to your business requirements. None of this data is required in order to add the MS Organization to Veeam.
Generate the Microsoft userCode & verificationUrl
- Provide both to the customer
PAUSE: This is where your workflow pauses and waits for the customer.
The customer accesses the URL where they enter the code provided and authenticate to MS.
- Customer authenticating to MS needs to have the Global Administrator role.
UNPAUSE: Customer has provided access
Add the Organization to Veeam
At this point, initial onboarding is complete and Backup Jobs can be created to protect Organization data.

Starting with Veeam Backup for Microsoft 365 6.0, an additional step is required if the Restore Portal is being used. See Veeam documentation step #5. As an alternative, this script can be provided to tenants for this step.

API calls involved in the above workflow

Step #2: POST /v6/DeviceCode

Step #6: POST /v6/Organizations

The userCode from step #2 is also used in this API call.
Generate a self-signed certificate (see sample code below). This certificate is used as a shared secret between you and Microsoft.

Here’s some recommendations:

Create a unique certificate for each Organization. This ensures that a single compromised certificate doesn’t compromise all of your tenants.
Store these certificates in a secure location as they will be useful if you ever decide to automate restores.
Use identifiable friendly names
Here’s sample code that can generate a self-signed certificate:

OpenSSL

openssl req -x509 -newkey rsa:4096 -keyout cert.key -out cert.cer -days 3650 -passout pass:veeam -subj "/C=US/ST=Kentucky/L=Lexington/O=Veeam Software/OU=VCSP/CN=veeam.contoso.local"
openssl pkcs12 -export -out cert.pfx -inkey cert.key -in cert.cer -passin pass:veeam -passout pass:veeam -name "Contoso VB365 Tenant"
base64 -i cert.pfx -o vbo-application-certificate.txt

PowerShell

$cert = New-SelfSignedCertificate -Type Custom -KeyExportPolicy Exportable -KeyUsage None -KeyAlgorithm RSA -KeyLength 2048 -HashAlgorithm SHA256 -NotAfter (Get-Date).AddYears(10) -Subject "/C=US/ST=Kentucky/L=Lexington/O=Veeam Software/OU=VCSP/CN=veeam.contoso.local" -FriendlyName "Contoso VB365 Tenant"
$securestring = ConvertTo-SecureString -String "veeam" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath "vbo-application-certificate.pfx" -Password $securestring
$pfx_cert = Get-Content "vbo-application-certificate.pfx" -Encoding Byte
[System.Convert]::ToBase64String($pfx_cert) | Out-File "vbo-application-certificate.txt"

The result of the above sample code is a text file (vbo-application-certificate.txt) that contains the info for the applicationCertificate parameter with an applicationCertificatePassword of veeam. These are used in parameter of this API call.