Last Updated on September 24, 2024 by Michael Morten Sonne
Intoduction
This blog post is about an issue I see some time ago, when some recent changes in the backend in Exchange Online has changed – but not had time to finish it before now… 🫣
But I feel it´s a bit fun and a need to share as I was enjoyed of all the error status mails from my Veeam Backup solution at home 🤣
This blog post addresses an issue with Veeam Backup for Microsoft 365 where Exchange Online backups fail with the error: Failed to get folder properties. Not allowed to access Non IPM folder.
This issue impacts all versions of Veeam Backup for Microsoft 365; however, solutions are available for the following specific versions:
- Veeam Backup for Microsoft 365 6a P20230322 (build 6.1.0.1015)
- Veeam Backup for Microsoft 365 7 (builds 7.0.0.2911 – 7.0.0.4901)
- Veeam Backup for Microsoft 365 7a (builds 7.1.0.1301 – 7.1.0.1501)
What is Veeam Backup M365
Veeam Backup for Microsoft 365 is a backup solution designed to protect data stored in Microsoft 365 (formerly Office 365). Here’s a overview of what it offers and why it’s important:
Key features of Veeam Backup for Microsoft 365
- Backup for Microsoft 365 Services:
- Exchange Online: Back up emails, calendars, contacts, and tasks.
- SharePoint Online: Protect SharePoint sites, libraries, and documents.
- OneDrive for Business: Secure users’ files stored in OneDrive.
- Microsoft Teams: Back up data from Microsoft Teams, including chats, files, and sites associated with Teams.
- Granular Recovery:
- Enables granular recovery of individual items, such as emails or files, ensuring quick restoration of specific data
- Flexible Storage Options:
- Allows storage of backups in various locations, including on-premises, in the cloud (e.g., AWS, Azure), or with a managed service provider.
- Advanced Search and eDiscovery:
- Provides powerful search capabilities to locate specific items quickly, facilitating legal and compliance requirements.
- Security and Compliance:
- Ensures data integrity and security with features like encryption and role-based access control.
- Helps meet regulatory compliance by retaining data according to policy requirements.
- Automation and scheduling:
- Supports automated backup jobs and flexible scheduling to minimize manual intervention.
- Reporting of backup status and tasks performed and how much data backed up.
- Scalability:
- Designed to scale according to the needs of organizations, whether they are small businesses or large enterprises.
Why Veeam Backup for Microsoft 365 is Important
- Data Control: Despite Microsoft 365’s built-in redundancy and security, Microsoft operates on a shared responsibility model. This means that while Microsoft ensures the infrastructure’s availability, it is the customer’s responsibility to protect their data from accidental deletion, security threats, and retention policy gaps.
- Business Continuity: Ensures that critical business data is protected and can be restored quickly in case of data loss incidents, minimizing downtime and productivity loss.
- Regulatory Compliance: Helps organizations comply with data protection regulations by retaining and easily retrieving data when needed.
- Ransomware Protection: Provides an additional layer of protection against ransomware and other cyber threats by keeping separate, secure backups of data.
In summary, Veeam Backup for Microsoft 365 is a crucial tool for any organization using Microsoft 365, ensuring that their data is secure, easily recoverable, and compliant with regulatory requirements.
🔔 And don’t forget to back up your data – you never know what might happen 🔔
What is the IPM folder
In Exchange Online, the IPM (Interpersonal Messaging) folder is a fundamental component of the messaging system, housing the primary folders used for email and other messaging items. It includes essential folders such as the Inbox, Sent Items, Deleted Items, Drafts, and user-created folders, making it a critical element for any backup strategy.
The error
The error observed in the backup job logs is as follows. This clearly indicates the nature of the error:
Processing mailbox [email protected] failed with error: Failed to get folder properties. Not allowed to access Non IPM folder.
By examining the logs, you can easily identify what went wrong, allowing for a more efficient troubleshooting process. It’s important to regularly review these logs to ensure the backup process is running smoothly and to address any issues promptly.
The cause
A issue showed up with the way Veeam Backup for Microsoft 365 performing its backup of data during Exchange backups when the software attempts to retrieve the properties of all mailbox folders, including hidden and legacy folders like ‘TeamsMessagesData’.
Recently, Microsoft has implemented a change that prevents the retrieval of the ‘TeamsMessagesData’ folder properties using the EWS (Exchange Web Services) API, which Veeam Backup for Microsoft 365 relies on for processing Exchange data backups! 🫣
Exchange Web Services (EWS) are legacy APIs used to create clients and services that connect to Exchange to access mailbox information. Over time, it has been observed that a number of third-party applications are accessing Teams messages through EWS. This practice is both undocumented and unsupported by Microsoft and poses several risks and challenges, which necessitate the closure of this API for accessing Teams messages…
And therefor: Third-party applications are not permitted to access or use Teams data in mailboxes.
Teams can change the location and use of data at any time, making the process vulnerable to code failure when using email APIs like EWS, Exchange REST, MAPI, or Outlook Object Model.
Reasons for closing down the EWS API
- Undocumented and unsupported use:
- Accessing Teams messages through EWS is not documented or supported by Microsoft. This means there are no guarantees or official support channels for issues that arise, leading to potential reliability problems for applications relying on this method…
- Risk of code failure:
- Teams may change the location and use of message data at any time, which poses a significant risk of code failure for applications that use EWS to access Teams messages. Without official support, these changes can break functionality without warning, disrupting services and requiring urgent fixes.
- Security and Compliance:
- Using unsupported methods to access Teams messages can lead to security vulnerabilities and compliance issues. Ensuring that data access methods are supported and secure is crucial for maintaining the integrity and confidentiality of organizational communications.
- Migration to supported APIs:
- Microsoft is directing developers to use the Microsoft Graph Teams Export API, which is fully supported and documented. This API allows for the export of 1:1 chats, group chats, meeting chats, and channel messages from Microsoft Teams, providing a reliable and officially supported method for accessing Teams data.
- Future-proofing applications:
- By transitioning to the Teams Export API, organizations ensure their applications remain functional and supported in the future. This reduces the risk of unexpected downtime and the need for emergency updates in response to changes in how Teams stores message data.
How to fix
The issue can be effectively addressed by configuring the software to bypass the processing of the ‘TeamsMessagesData’ folder. This adjustment ensures smoother operation and prevents errors associated with attempting to access unsupported data through EWS.
To resolve this issue, consider the following three options:
Install the update
Upgrade to a supported version of Veeam Backup for Microsoft 365 that includes fixes or enhancements addressing compatibility with Microsoft Teams data. Ensuring the software is up-to-date aligns with best practices for maintaining functionality and security in data backup processes.
The issue was fixed in the following version: KB4533: Release Information for Veeam Backup for Microsoft 365 7a Cumulative Patchess – P20240418 (7.1.0.2031)
Learn more about upgrading to Veeam Backup for Microsoft 365 7a. here
Modify Config.xml
For customers not yet prepared to upgrade to the latest version of Veeam Backup for Microsoft 365 but using at least build 6.1.0.1015, a workaround is provided.
If your current build of Veeam Backup for Microsoft 365 is older than 6.1.0.1015, it´s recommend upgrading to the latest version. This upgrade will resolve the issue and ensure you are using a supported version of the software.
Modify the backup job settings within Veeam Backup for Microsoft 365 to exclude the ‘TeamsMessagesData’ folder from the backup scope. This approach prevents the software from attempting to retrieve data from this unsupported source, thereby avoiding potential errors.
PowerShell script to update Config.xml file
Recommended if not updateing to the last version, as this solution involves executing a PowerShell script as an Administrator directly on the Veeam Backup for Microsoft 365 server.
The script’s purpose is to automate the modification of the Config.xml file. This adjustment ensures that the ‘TeamsMessagesData’ folder is skipped during the backup process. This method is particularly recommended for users who are not updating the application to the latest version.
Note: Running this script will pause any active Restore Session(s) and restart the Veeam Backup for Microsoft 365 Service. Backup jobs managed by the Veeam Backup Proxy for Microsoft 365 Service service will not be affected. Allow a moment for the status of running jobs to update after launching the Veeam Backup for Microsoft 365 Console.
See the script on The PowerShell Script tab – it´s hosted on my public repo on my GitHub account here: https://github.com/michaelmsonne/public
Retry backup.
Manually update Config.xml
Only the config.xml file on the main Veeam Backup for Microsoft 365 server needs to be updated.
To manualy change the config.xml file to skip the TeamsMessagesData folder, follow this steps:
- Open the folder: C:\ProgramData\Veeam\Backup365\
The ProgramData folder is hidden by default. Copy and paste the folder path into the Explorer address bar.
- Inside that folder, make a copy of Config.xml and rename it to Config.xml.old.
If the Config.xml file is missing, verify that you are checking the correct folder path (i.e., ProgramData instead of Program Files).
- Launch Notepad as an Administrator, and open the file C:\ProgramData\Veeam\Backup365\Config.xml
- Add the following line within the <Archiver> section and save the file.
<Proxy SkipTeamsMessagesDataFolders="True" />
- Restart the Veeam Backup for Microsoft 365 Service service.
Note: Restarting the Veeam Backup for Microsoft 365 Service will interrupt any active Restore Session. However, active backup jobs will remain unaffected since they are managed by the Veeam Backup Proxy for Microsoft 365 Service, which does not require a restart. After launching the Veeam Backup for Microsoft 365 Console, please allow a moment for the status of running jobs to update.
- Retry the job(s).
Bonus – free Veeam license(s)!
Are you an Microsoft MVP like me, or other well known regarinations – check this out, and get a free NFR (not for resale) license to Veeam for 1 year (yes, a hole year!) 🥳
Check it out here:
- Microsoft 365 Backup: FREE NFR keys for Veeam Backup for Microsoft 365
- Veeam Data Platform – Premium Edition: FREE NFR keys for NEW Veeam Availability Suite
Who is eligible?
Veeam is happy to provide a Free NFR license to the top-level community members, certified engineers, trainers and bloggers. A list of IT professionals eligible for a free Veeam NFR license key include:
- Veeam Certified Engineers (VMCEs)
- VMware vExperts
- VMware Certified Professionals (VCPs)
- VMware Certified Advanced Professionals (VCAPs)
- Microsoft Most Valuable Professionals (MVPs) (like meeee 🫣🥳 – Read more here)
- Microsoft Most Valuable Professionals – Office 365 (MVPs)
- Microsoft Certified Solutions Experts (MCSEs)
- AWS Heroes
- AWS Certified Pros
- VMware, Microsoft, AWS trainers
- And more!
Read more here to get the newest information from Veeam itself: Unlock Veeam’s Free Not For Resale (NFR) License | Veeam
Conclusion
Properly understanding and configuring your backup solution is essential to ensure your critical email data is protected and recoverable, especially in light of recent changes and potential issues with accessing certain folder properties in the stuff you backup.
Stay allways up to date and test your backups!
Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍
Stay tuned for the new post about something cool! 🥳
References
EWS isn’t supported when accessing Teams data – Exchange | Microsoft Learn
Shared responsibility in the cloud – Microsoft Azure | Microsoft Learn
EWS isn’t supported when accessing Teams data – Exchange | Microsoft Learn