Section 1 — Tổng Quan Phase 05
Thực Thi Song Song
Phase 05 và Phase 06 có thể chạy SONG SONG — không phụ thuộc nhau. Bắt đầu cả hai cùng lúc nếu có đủ nhân lực. Phase 05 đảm nhận M365 + Cloud workloads, Phase 06 triển khai Veeam ONE monitoring. Cả hai đều cần VBR Cluster (Phase 01–04) hoàn chỉnh trước.
Kiến Trúc Bảo Vệ Cloud & M365
[VBR Main (VSA Cluster)]
│
├── [Veeam Backup for M365 Server] (separate VM – NOT shared with VBR)
│ ├── Exchange Online ──────────→ S3-M365-Bucket (immutable 90d)
│ ├── SharePoint Online ─────────→ S3-M365-Bucket (immutable 90d)
│ ├── OneDrive ─────────────────→ S3-M365-Bucket (immutable 90d)
│ └── Teams ────────────────────→ S3-M365-Bucket (immutable 90d)
│ Auth: Modern Auth (OAuth 2.0) via Azure App Registration
│
└── [VBR Agent Jobs] → Cloud VMs (AWS / Azure)
├── AWS EC2 instances ──────→ SOBR-Enterprise (same as on-prem)
├── Azure VMs ───────────────→ SOBR-Enterprise (same as on-prem)
└── Reports to: VBR Main Console (unified management)
Legend:
VSA Cluster = VBR HA Cluster (Phase 01–02)
SOBR-Enterprise = Scale-Out Backup Repository (Phase 04)
S3-M365-Bucket = Dedicated S3 bucket, NEVER shared with SOBR
Phần A: Microsoft 365
- Exchange Online – mailbox backup (hourly)
- SharePoint Online – site & document backup
- OneDrive for Business – user file backup
- Microsoft Teams – channels & conversations
- Restore Portal for helpdesk self-service
Phần B: Cloud VMs (AWS/Azure)
- VBR Agent deployment to cloud VMs
- Unified SOBR-Enterprise for cloud backups
- Azure Instant Recovery (DR failover)
- RPO < 1 hour for cloud workloads
- Centralized reporting via VBR console
Section 2 — Breaking Changes v13: M365 Authentication
CRITICAL — Basic Authentication Removed by Microsoft
Microsoft đã loại bỏ Basic Authentication cho M365 vào năm 2023. Nếu cấu hình Veeam M365 với Basic Auth → KẾT NỐI THẤT BẠI ngay lập tức. Các phiên bản Veeam cũ hơn (v11 trở xuống) đang dùng Basic Auth sẽ không thể kết nối sau cut-off date. Chỉ dùng Modern Auth (OAuth 2.0).
FIX: Switch to Modern Authentication (OAuth 2.0) in Organization settings
So Sánh Phương Thức Xác Thực M365
| Auth Method | Status | Veeam Support | Ghi Chú |
|---|---|---|---|
| Basic Auth (username/password) | ❌ Deprecated Oct 2023 | ❌ Will fail immediately | Không sử dụng trong mọi trường hợp |
| Modern Auth (OAuth 2.0) | ✅ Current standard | ✅ Required – v12+ | Phương thức mặc định và bắt buộc |
| Certificate-based Auth | ✅ Enterprise option | ✅ Supported – v13 | Cho môi trường yêu cầu không có secrets |
| App-only Auth (service principal) | ✅ Recommended | ✅ Best practice v13 | Không cần user account, dùng Azure App |
Thay Đổi Quan Trọng Trong Veeam Backup for M365 v7 (tích hợp VBR v13)
- Azure App Registration: Veeam tự động tạo App Registration với đúng permissions — không cần tạo thủ công
- Teams backup: Hỗ trợ Teams channels, chats, files đầy đủ (v6 trở về trước chỉ backup metadata)
- Immutability: S3 Object Lock Compliance mode được hỗ trợ cho M365 repository (mới trong v7)
- eDiscovery export: Xuất trực tiếp sang PST/EML cho legal hold
- Cross-tenant restore: Khôi phục từ tenant A sang tenant B (DR scenario)
Section 3 — Phần A: M365 Sizing & Requirements
VM Requirements — Veeam Backup for M365 Server
| Resource | Minimum | Recommended (Enterprise) | Notes |
|---|---|---|---|
| OS | Windows Server 2022 | Windows Server 2022 | 2019 supported but not recommended |
| vCPU | 4 vCPU | 8 vCPU | +2 vCPU per 1,000 users |
| RAM | 8 GB | 16 GB | 32 GB for >1,000 users |
| System Disk | 100 GB | 200 GB SSD | OS + Veeam software + logs |
| Network | 1 GbE | 10 GbE | Outbound to Microsoft 365 + S3 |
| Internet Access | Required | Direct or via proxy | Needs access to Microsoft 365 endpoints |
| SQL (optional) | SQL Express (built-in) | SQL Server (external) | SQL Express: 10 GB limit, <500 users only |
Storage Sizing Formula — S3 Bucket for M365
# Formula S3 Bucket Size = users × data_per_user_GB × growth_factor × retention_years # Example: 500 users, 1-year retention, 30% annual growth = 500 × 5 GB × 1.3 (growth factor) × 1 year = 500 × 5 × 1.3 = 3,250 GB ≈ 3.25 TB # Example: 500 users, 3-year retention (compliance) = 500 × 5 GB × 1.3 × 3 = 9,750 GB ≈ 9.75 TB # Rule of thumb: # Plan 5–8 GB per user per year (email heavy: use 8 GB) # Add 30% growth buffer # Compliance retention (3+ years): multiply accordingly
5–8 GB
Per user per year (rule of thumb)
1.3×
Growth factor (30% annual)
90 days
Min S3 immutability lock
Port & Firewall Requirements
| Source | Destination | Port | Purpose |
|---|---|---|---|
| M365 Server | *.office365.com | 443/TCP | M365 API access |
| M365 Server | S3 endpoint | 443/TCP | Object storage backup |
| Admin browser | M365 Server | 4443/TCP | Veeam M365 Web UI |
| VBR Console | M365 Server | 4443/TCP | Veeam ONE integration |
| M365 Server | Azure AD | 443/TCP | OAuth 2.0 token exchange |
Section 4 — Bước 1: Deploy Veeam Backup for Microsoft 365 Server
QUAN TRỌNG: Veeam Backup for M365 là sản phẩm RIÊNG BIỆT — installer và license khác với VBR. KHÔNG cài chung lên VBR Server hay node cluster.
Các Bước Triển Khai
Tạo Windows Server 2022 VM mới (RIÊNG BIỆT)
VM Name: veeam-m365.domain.local — 8 vCPU, 16 GB RAM, 200 GB SSD system disk. Domain-joined. Service account gMSA recommended.
Download Veeam Backup for Microsoft 365 Installer
Tải từ veeam.com/downloads — file riêng biệt, không phải VBR ISO. Phiên bản cần khớp với VBR (v7 cho VBR v13).
Cài đặt với cấu hình Enterprise
Installation type: Custom (not Express) Components: ✅ Veeam Backup for Microsoft 365 Server ✅ Veeam Backup for Microsoft 365 REST API ✅ Veeam Explorers (Exchange, SharePoint, Teams, OneDrive) Web UI default port: 4443 Service account: DOMAIN\svc-veeam-m365 (local admin) SQL: Connect to existing SQL Server (recommended) or SQL Express
Tạo S3 Bucket riêng cho M365 (TRƯỚC khi config)
AWS Console → S3 → Create bucket: Bucket name: veeam-m365-backups-[company] ← SEPARATE from SOBR bucket! Region: ap-southeast-1 (same region as VBR) Versioning: Enabled (required for immutability) Object Lock: Enabled, Compliance mode, 90 days Encryption: SSE-S3 (AES-256) Block Public Access: All enabled Access: Create dedicated IAM user with S3 permissions only
Xác minh cài đặt
Truy cập https://veeam-m365.domain.local:4443 — đăng nhập bằng Windows credentials. Dashboard phải hiện "No Organizations" (chưa config). Kiểm tra services đang chạy.
NEVER Share S3 Buckets Between VBR và M365 Backup
Dùng chung S3 bucket gây ra: (1) không thể tính storage usage chính xác, (2) retention policy conflict giữa hai sản phẩm, (3) IAM permission phức tạp không cần thiết, (4) risk xoá nhầm data của sản phẩm kia. Luôn tạo bucket riêng biệt cho mỗi sản phẩm.
Section 5 — Bước 2: Thêm M365 Organization (OAuth 2.0)
Quy Trình Kết Nối M365 Tenant
Console → Organizations → Add Organization → Microsoft 365
Chọn Microsoft 365 (không phải Microsoft 365 for Organizations nếu dùng GCC/DoD)
Chọn Authentication: Modern Authentication (OAuth 2.0)
Organization name: Company Corp M365 Region: Worldwide (or specific if GCC/DoD) Authentication type: ● Modern Authentication (OAuth 2.0) ← SELECT THIS App registration: ● Create new Azure AD application automatically ← RECOMMENDED
Veeam Tự Động Tạo Azure App Registration
Permissions được cấp tự động (cần Global Admin hoặc Application Admin để approve):
Mail.ReadWrite
MailboxSettings.Read
Calendars.ReadWrite
Contacts.ReadWrite
Sites.ReadWrite.All
Sites.FullControl.All
Files.ReadWrite.All
TeamSettings.Read.All
Channel.ReadBasic.All
ChannelMessage.Read.All
User.Read.All
Group.Read.All
Directory.Read.All
Admin Consent trong Azure AD Portal
Azure Portal → Azure Active Directory → App Registrations → Find: "Veeam Backup for Microsoft 365 - [timestamp]" → API Permissions → Grant admin consent for [YourDomain] → Confirm: All permissions show green checkmark ✓ → Copy: Application (client) ID ← save for troubleshooting
Xác Minh — Organization Appears with Correct User Count
Sau khi sync: organization hiện trong danh sách với user count khớp với M365 tenant. Trạng thái: Connected (green). Nếu user count = 0 → check Admin Consent chưa grant.
Lưu ý thời gian: Sau khi Grant Admin Consent, Veeam cần 5–15 phút để sync danh sách users từ M365 (tùy số lượng users). Initial sync cho 10,000+ users có thể mất 30–60 phút.
Section 6 — Bước 3: Tạo S3 Repository cho M365
Cấu Hình S3 Object Storage Repository
# Veeam Backup for M365 Console
Console (M365 Web UI) → Backup Repositories → Add Repository
Step 1 - Type:
● Object Storage → Amazon S3 Compatible
(or Amazon S3 if using AWS directly)
Step 2 - Account:
→ Add new account:
Display name: AWS-S3-M365-Credentials
Access key: [IAM_ACCESS_KEY_ID]
Secret key: [IAM_SECRET_ACCESS_KEY]
→ Region: ap-southeast-1 (or your region)
Step 3 - Bucket:
→ Name: S3-M365-Backup
→ Bucket: veeam-m365-backups-[company] ← SEPARATE from SOBR bucket!
→ Folder: /m365-backups/
→ Enable immutability: ✅ YES
→ Immutability period: 90 days
→ Mode: Compliance (cannot be deleted even by root)
Step 4 - Advanced:
→ Encryption: ✅ Enable encryption
→ Password: [generate strong 32-char password, store in vault]
→ Algorithm: AES-256
→ Concurrent tasks: 8 (adjust per bandwidth)
→ Size limit: Enable alert at 80% of planned capacity
Step 5 - Verify:
→ Test connection → SUCCESS
→ Repository appears in list with status: Active
Security Best Practices cho S3 M365 Repository
- • IAM user cho M365 bucket: chỉ có quyền S3:GetObject, S3:PutObject, s3:DeleteObject, s3:GetBucketVersioning — không có quyền bucket deletion
- • Bật S3 Access Logging để audit trail
- • Dùng S3 Bucket Policy để chặn access từ VPC endpoints của VBR (cross-product isolation)
- • Lưu encryption password trong HashiCorp Vault hoặc AWS Secrets Manager
Section 7 — Bước 4: Tạo Backup Jobs (4 Services)
Tổng Quan 4 Backup Jobs
| Job | Source | Schedule | Retention | Priority | Reason |
|---|---|---|---|---|---|
| Exchange Online | All mailboxes + shared mailboxes | Every 1 hour | 1 year | HIGH | Compliance, legal hold, eDiscovery |
| SharePoint Online | All site collections | Daily 02:00 | 1 year | MEDIUM | Document recovery, site restore |
| OneDrive | All user OneDrives | Daily 03:00 | 1 year | MEDIUM | User file recovery, ransomware |
| Microsoft Teams | All teams + channels | Daily 04:00 | 1 year | MEDIUM | Conversation history, compliance |
Exchange Online Job — Cấu Hình Chi Tiết (Hourly)
Jobs → Add Job → Microsoft Exchange
→ Name: M365-Exchange-Hourly
→ Organization: Company Corp M365
→ Objects: ● All mailboxes (include shared mailboxes ✅, resource mailboxes ✅)
→ Backup repository: S3-M365-Backup
→ Schedule:
Run job automatically: ✅
Schedule type: ● Periodically every: 1 Hours
Start at: 00:00 (midnight, first run)
→ Job will run at: 00:00, 01:00, 02:00 ... 23:00
→ Retention:
Restore points to keep: 365 (1 year of daily)
Keep legal hold items: ✅ (never delete items on legal hold)
→ Notification:
Email on failure: [email protected]
Email on warning: [email protected]
→ Advanced:
Item-level indexing: ✅ (enables search in individual emails)
Backup public folders: ✅
Include archive mailboxes: ✅
# COMPLIANCE NOTE:
# Hourly backup = worst case email loss = 1 hour
# Required for ISO 27001 and GDPR compliance in most frameworks
# Each restore point allows recovering individual emails
SharePoint, OneDrive & Teams Jobs — Template
# Lặp lại cho SharePoint, OneDrive, Teams (cấu hình tương tự):
Jobs → Add Job → [Microsoft SharePoint | OneDrive | Teams]
→ Name: M365-[Service]-Daily
→ Objects: ● All [sites | users | teams]
→ Backup repository: S3-M365-Backup
→ Schedule:
Run job automatically: ✅
Schedule type: ● Daily at: [02:00 | 03:00 | 04:00]
Days: Every day
→ Retention: 365 restore points
→ Advanced (SharePoint only):
Include subsites: ✅
Include lists and libraries: ✅
→ Advanced (Teams only):
Include private channels: ✅
Include team files: ✅ (stored in SharePoint)
Section 8 — Bước 5: Self-Service Restore Portal (Helpdesk)
Cấu Hình Veeam Restore Portal
# Veeam M365 Console → Restore Portal
Console → Settings → Restore Portal
Step 1 - Enable Portal:
Restore Portal: ● Enable
URL: https://veeam-m365.domain.local:4443/restore
Certificate: [upload SSL cert or use self-signed for internal]
Step 2 - Add Restore Operators (Helpdesk accounts):
→ Add Restore Operator:
User/Group: DOMAIN\helpdesk-tier1 (AD group)
Roles: ● Restore Operator
Scope: Exchange mailboxes in OU=HCM-Users (limit to their region)
→ Add Restore Operator:
User/Group: DOMAIN\it-manager
Roles: ● Restore Operator
Scope: All objects (unrestricted for manager)
Step 3 - Configure Allowed Restore Operations:
✅ Restore to original location
✅ Export to PST/EML
✅ Send to user's mailbox as attachment
❌ Restore to different user's mailbox (security risk - disable)
❌ Delete items permanently (disable)
Step 4 - Branding (optional):
Company name: [Your Company] IT Support
Logo: upload company logo
Support email: [email protected]
Use Cases — Helpdesk Self-Service
Helpdesk Tier 1 có thể tự xử lý:
- • User xoá nhầm email quan trọng → restore từ M365 backup
- • User cần phiên bản cũ của file SharePoint
- • Tìm email bị mất sau mailbox migration
Không cần Backup Admin can thiệp:
- • Giảm MTTR từ 4 giờ → 15 phút
- • 24/7 self-service (không phụ thuộc backup admin)
- • Audit log: mọi restore đều được ghi lại
Section 9 — Bước 6: Test Recovery (Bắt Buộc)
3 Test Cases Bắt Buộc Sau Khi Cấu Hình
Restore Single Email → Original Mailbox
Veeam M365 Console → Restore → Exchange → Individual items → Organization: Company Corp M365 → User: [email protected] → Browse to: Inbox → select email from yesterday → Restore options: ● Restore to original location (overwrite if exists) → Reason: "Recovery Test Phase 05 - [date]" → Click Restore → monitor progress Expected result: Email reappears in user's inbox within 2-5 minutes Verify: Log into testuser's Outlook → confirm email present
Pass Criteria: Email restored successfully, restore log shows no errors, user confirms receipt.
Restore SharePoint File → Original Location
Restore → SharePoint → Document Libraries → Site: https://[tenant].sharepoint.com/sites/IT → Library: Documents → navigate to test file → Select file version from 2 days ago → Restore: ● Restore to original location → Overwrite: ● Overwrite existing (test purposes) Expected result: File in SharePoint matches the older version Verify: Browse SharePoint site → check file version history
Pass Criteria: File version restored, version history updated in SharePoint.
Export Teams Conversation → PST (Legal/Compliance)
Restore → Teams → Conversations → Team: [Test Team] → Channel: General → Date range: last 30 days → Action: ● Export to PST file → Save location: \\fileserver\legal-exports\[case-id]\ Expected result: PST file created, importable in Outlook Verify: Import PST in Outlook → confirm conversations present and readable
Pass Criteria: PST exported successfully, file importable, conversations readable with correct timestamps.
Section 10 — Phần B: Bảo Vệ Cloud VMs (AWS/Azure)
So Sánh Lựa Chọn Bảo Vệ Cloud VMs
| Option | Best For | Pros | Cons |
|---|---|---|---|
| Veeam Backup for AWS | AWS-native, large fleets | No agent required, snapshot-based, low RPO, policy-driven | Extra product license, separate console |
| Veeam Backup for Azure | Azure-native, large fleets | No agent, snapshot-based, native Instant Recovery to Azure | Extra product license, separate console |
| VBR Agent (recommended) | Hybrid, mixed clouds, <50 VMs | Single VBR console, no extra license, same SOBR, unified reporting | Needs agent deployed to each VM, OS-level backup only |
Recommendation: Cho <50 cloud VMs: dùng VBR Agent (đơn giản hơn, không tốn thêm license, quản lý qua VBR Console có sẵn). Cho >50 VMs mỗi platform: cân nhắc platform-native products để có performance và tính năng tốt hơn. Trong phase này triển khai VBR Agent approach.
Section 11 — Bảo Vệ Cloud VMs qua VBR Agent
Các Bước Triển Khai VBR Agent cho Cloud VMs
Tạo Protection Group → Cloud Machine Type
VBR Console → Inventory → Physical Infrastructure → Add Protection Group → Type: ● Cloud machine → Name: PG-AWS-Production / PG-Azure-Production → Description: Cloud VMs in AWS/Azure production environment
Thêm Cloud VM IP/Hostnames
Computers: ● Individual computers → Add computers: 10.0.1.50 - aws-web-01 (Linux) 10.0.1.51 - aws-web-02 (Linux) 10.0.2.10 - azure-db-01 (Windows) ... (or import from CSV) Credentials: SSH key (Linux) / RDP admin (Windows) Connection: Via Veeam Gateway (if direct is blocked by firewall)
Auto-Deploy Agent (Push)
VBR sẽ tự động push Veeam Agent for Linux/Windows lên các cloud VMs. Cần: SSH/WinRM access từ VBR, credentials với sudo/admin rights. Agent version matching VBR v13.
Tạo Backup Job → SOBR-Enterprise (cùng với on-prem)
Jobs → Backup → Agent Backup → Name: Cloud-VMs-Hourly → Protection Group: PG-AWS-Production + PG-Azure-Production → Mode: ● Managed by backup server → Repository: SOBR-Enterprise ← same as on-prem VMs! → Retention: 14 restore points (14 hours with hourly schedule) → Schedule: Every 1 hour (RPO target: <1 hour) → Guest Processing: ✅ Application-aware (for databases)
Verify — Reports to SOBR-Enterprise (Unified)
Sau khi job chạy: VBR Console → Jobs → Cloud-VMs-Hourly → Last Run: Success. Storage consumption visible trong SOBR-Enterprise dashboard. Cloud VMs và on-prem VMs đều hiện trong cùng một view.
Section 12 — Azure Instant Recovery (DR Feature)
Tính Năng Nổi Bật: Azure Instant Recovery cho phép khởi động BẤT KỲ VBR backup nào (kể cả on-prem VMware VMs) trực tiếp lên Azure trong vài phút — không cần pre-staged DR environment. Đây là tính năng DR cloud hybrid quan trọng nhất trong Veeam v13.
Cấu Hình Azure Cloud Credentials
# Step 1: Add Azure Account to VBR VBR Console → Backup Infrastructure → Cloud Credentials → Add → Type: Microsoft Azure → Authentication: ● Microsoft Azure Active Directory → Subscription ID: [your-azure-subscription-id] → Tenant ID: [your-azure-tenant-id] → Client ID: [app-registration-client-id] → Client Secret: [app-registration-secret] → Display Name: Azure-DR-Account # Required Azure RBAC permissions for VBR service principal: az role assignment create \ --assignee [client-id] \ --role "Contributor" \ --scope /subscriptions/[subscription-id] # Step 2: Configure default restore settings → Resource Group: rg-veeam-dr-restore → Virtual Network: vnet-dr-isolated (ISOLATED from production!) → Subnet: snet-dr-testing → Storage Account: stveaamdrtesting (for temp disks) → Region: Southeast Asia (or closest to on-prem)
CRITICAL: Isolated Network for DR Testing
VNet cho DR testing phải KHÔNG có connectivity về production network (no VPN/ExpressRoute peering to on-prem hoặc production VNet). Nếu DR VM connect về production → duplicate IP/DNS → production outage!
Quy Trình Test DR — Azure Instant Recovery
Chọn VM backup trong VBR Console → Restore → Instant Recovery → Microsoft Azure
Map settings: VM size (B2s for testing), Region (Southeast Asia), Resource Group (rg-veeam-dr-restore), VNet/Subnet (isolated DR network)
Click Restore → VM starts in Azure trong 3–7 phút (time depends on backup size và Azure region latency)
Verify: Azure Portal → VM running, RDP/SSH accessible, application health check (web server, database service started)
VBR Console → Running VMs → select restored VM → Undo (deletes Azure VM, releases all resources) sau khi test hoàn thành
Production DR Scenario: On-prem datacenter fails → failover ALL critical VMs to Azure using Azure Instant Recovery → production runs in Azure while on-prem is restored → failback when ready (Veeam supports Azure to on-prem failback)
Section 13 — Post-Configuration Checklist & Risk Assessment
Phase 05 Completion Checklist
Risk Assessment
Critical
Basic Auth used for M365
Impact: Immediate connection failure, all M365 backups stop. Mitigation: Switch to OAuth 2.0 immediately.
Critical
Shared S3 bucket VBR + M365
Impact: Data confusion, retention conflicts, potential data loss. Mitigation: Always use separate buckets.
High
Admin Consent not granted in Azure AD
Impact: M365 jobs fail silently or connect with partial permissions. Mitigation: Verify all API permissions show green checkmark.
High
Azure DR network not isolated
Impact: Restored DR VMs may conflict with production. Mitigation: Dedicated isolated VNet with no peering.
Medium
SQL Express 10 GB limit for M365 DB
Impact: Backup fails when catalog DB hits 10 GB (>500 users or long retention). Mitigation: Use full SQL Server from the start.