Using Microsoft Graph Export API for Teams
| KB ID: | 4322 |
| Product: | Veeam Backup for Microsoft 365 | 6.0 |
| Published: | 2022-06-10 |
| Last Modified: | 2022-06-11 |
Purpose
Starting with Veeam Backup for Microsoft 365 6a, the backup of Microsoft Teams data will now be performed using Microsoft Graph Export API for Teams. These APIs access sensitive data and are considered protected APIs. To access these APIs, a form must be filled out to request access. This Veeam KB article documents what information the Microsoft form to "Request access to Protected APIs in Microsoft Graph" requires.
Due to Microsoft's planned deprecation of Exchange Web Services (EWS) backup for the TeamsMessagesData folder, which was used in previous versions of Veeam Backup for Microsoft 365, moving forward Veeam Backup for Microsoft 365 will use the Microsoft Graph Export APIs for Teams to backup public channel messages.
Important Notes:
- Starting with Veeam Backup for Microsoft 365 6a, the protection of Teams data will no longer be enabled by default.
- To protect Teams data additional steps must be performed and then the Teams backup must be explicitly enabled.
- Utliizing the Microsoft Graph Export API for Teams comes at an additional cost from Microsoft.
- Microsoft's onboarding process for access to the Graph Export API may take up to two weeks to be processed. As such, it is advisable to begin the process of requesting API access as soon as possible.
- The Microsoft Graph Export API for Teams is currently not supported in Microsoft 365 US Government, Germany and China regions.
Solution
Register App and Collect Information for API Request Form
When adding an organization with modern authentication to Veeam Backup for Microsoft 365, after following the login prompts, you will end up with an app registration. You will need information about this app registration to request Protected API access in the next section.
- Log into portal.azure.com and select Azure Active Directory.
If your account has access to more than one directory, ensure you have selected the relevant one. - Under Azure Active Directory overview, gather the Tenant ID.
- In the Veeam Backup for Microsoft 365 Console, right-click the Organization and select 'Edit organization'. Gather the Application ID.
Note that there is now a checkbox specifically for Microsoft Teams. That checkbox needs to be selected to back up Teams data. If access to the API has not been granted and this checkbox is enabled, the Teams backup will fail. Click next until you get to the Microsoft 365 connection settings. - Under App Registrations in Azure AD, review the API permissions assigned to the app registration used.
Ensure that the Microsoft Graph Application permission to ChannelMessage.Read.All is assigned.
Request API Access
As documented in Protected APIs in Microsoft Teams:
To request access to these protected APIs, complete the following request form.
Note: The process of whitelisting an app registration may take up to two weeks to complete.
Form Fields
To simplify the request process Veeam has documented each of the fields you will fill out to request Protected API access. Where possible text below will have a copy button, so that you can easily pate the text into the form. Each step number below corelates to the numbered entry in the "Request access to Protected APIs in Microsoft Graph" form (as of 2022-06-09).
If you notice that the Microsoft form has changed and no longer aligns with the information below, please Send KB Feedback.
- Your email address and any others you want to list as an owner — Enter an email address for the organization you wish to protect.
- Publisher name:
Veeam Software Corporation- Application name:
Veeam Backup for Microsoft 365- Application ID(s) to enable permissions for — Enter the application id you gathered earlier
- Which category best describes your application — Backup/restore.
- Why does your application need read access to all messages in the tenant?
For backup and compliance purposes- Data Retention:
- It is obvious to any admin installing this app that it will make a copy of Microsoft Teams messages.
- It is obvious to any admin installing this app that it will make a copy of Microsoft Teams messages.
- What are the tenant ID's that this application needs to run in? — Enter the tenant id you gathered earlier.
- Does your organization own all those tenants? — Yes
Click [ Next ]
- What is the homepage URL registered for the application ID?
https://www.veeam.com/backup-microsoft-office-365.html- Terms of service URL?
https://www.veeam.com/eula.html- Privacy statement URL?
https://www.veeam.com/privacy-notice.html
Click [ Next ]
- May we contact you about your app's use of non-protected APIs? — Yes
Click [ Submit ]
More Information
Until the whitelisting is complete you will get the following error when you try to back up Teams data:
Failed to process team: <teamname> Invoked API requires Protected API access in application—only context when not using Resource Specific Consent. Visit https://docs.microsoft.com/en—us/graph/teams—protected—apis for more details.. The remote server returned an error: (403) Forbidden.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.