This blog post is my note-taking on Veeam Backup for Microsoft 365 Best Practice.
Security & Hardening
Patching
Latest Windows Operating system patching on all veeam components
Authentication
1. Use Modern app-only authentication
2. Modern authentication with legacy protocols allowed [limited]
Veeam components
1. Workgroup / Join to domain for all veeam components
2. Self-signed certificate might not be allowed by enterprise customers. Prefer PKI (Internal PKI or External (Public) Certificate
Data Separation
1. Backup Copy
Can put on different cloud provider
Encryption
Additional security with at rest AES 256 encryption for Microsoft 365 data in object storage
Note: Password loss protection is NOT available
Self Service Restore Portal
1. Dedicate administrator to restore administrator
2. Access Self-Service Restore Portal for recovery. Avoid login to VM