Veeam Backup for Microsoft 365 v6a – Teams Export API Previewed

Today I want to share a sneak peek at the next release of Veeam Backup for Microsoft 365, v6a. Like traditional minor/interim releases, this release will mainly include bug fixes. However, there’s an interesting feature being released that I’ll be sharing some details on.

Goodbye Exchange, Hello Teams Export API

To understand what’s changing, we need to understand what is going, and why this change is necessary. Currently, Veeam are protecting Teams channel ‘chat’ data via Exchange Online. Notice I say Teams channel, currently Veeam doesn’t protect any ‘Direct Messages’, either 1:1 or group chats, so chat in this context refers to posts and comments within a Teams channel.

How does Veeam currently process my Teams data?

To achieve the protection of this Teams data, Veeam reads a hidden folder within Exchange Online, called ‘TeamsMessagesData’. This is true whether you use Basic or Modern Authentication.

If you weren’t already aware, Microsoft are completing removing Basic Authentication Support from October 2022, for more information on this, please read this great summary post from my friend and former Veeam Legend, Fabian. There’s also evidence that Microsoft have begun their trials of Basic Authentication being disabled on individual mailboxes, as noted by another friend & Veeam Legend, Max.

What’s wrong with the current approach? Why do we need Teams Graph APIs?

Microsoft aren’t happy with the current approach, and have created a troubleshooting document stating this isn’t supported. Within this document it is clearly detailed that the only supported method for accessing Teams data is via the Teams Graph APIs. Forcing Veeam, and all other backup vendors for that matter, into the use of Teams Graph APIs.

Microsoft intend to restrict access to the ‘TeamsMessagesData’ hidden folder completely in the near future. Furthermore, I’ve heard reports that some mailboxes within organisations are already showing issues connecting to this folder, as Microsoft test this ahead of a full roll-out. I’ve been unable to find any public-facing documentation detailing Microsoft’s timelines and aggressiveness for this change, so we need to be prepared.

This all sounds like back-end changes that shouldn’t affect me, right?

It might sound that way, but that’s not true in this instance. There are multiple risks that we need to consider as part of adopting this approach, which we’ll go through below.

Microsoft’s Teams Export API is a Protected API

What is a protected API might be your first question. The answer to this question is, a protected API is an API that requires additional validation by Microsoft, prior to approval. This is typically due to the sensitive data that could be accessed via misuse of the API. Due to the manual approval, it is not possible to utilise any form of automation to gain immediate access to the APIs.

This manual approval needs to be factored into any Veeam Backup for Microsoft 365 deployments that you’re going to undertake, as it is not an immediate process. Please see the below as copied from Microsoft’s documentation:

To request access to these protected APIs, complete the following request form. We usually review access requests every Wednesday and deploy approvals every Friday or Monday, except during major holiday weeks in the U.S. Submissions during those weeks will be processed the following non-holiday week. To verify whether your request has been approved, test your application access on the next applicable Monday. If we have additional questions about the request, we will contact the email specified in the form.

Microsoft Docs – 20/06/2022

Yep, that’s right, no confirmation of your approval, a once-a-week review process, if you’ve made a mistake, add a week’s delay to the approval process. <sarcasm> It’s only the sole API you can backup your data via, no biggie, right? </sarcasm>

This protected API access is per registered application within your Microsoft 365 tenant, so if you’re planning on protecting your Teams data via this API, be sure to register your application and request API access as soon as possible to prevent delays to your projects.

As a final comment on this, you’ll likely have noticed there’s no commitment to which cycle your API request will be processed within, I can only expect as backup vendors migrate to this API, there will be spikes in requests in line with vendor patches that incorporate this feature, which does bring a very real risk of additional delays if Microsoft don’t have the resources to cope with such spikes in utilisation.

Once you’ve received your approval, you’ll be required to add the following API permissions to your application:

  • Chat.Read.All
  • ChannelMessage.Read.All
  • User.Read.All

[Update 23/06/2022] Microsoft’s manual application process has highlighted some confusion around the process above. So to clarify, you can apply these API permissions at any point to your application, however if you attempt to use a protected API call within your application, without completing the Microsoft form & being approved first, your API call will fail. When applying for the protected API access, Microsoft don’t ask which protected APIs you need access to, instead appearing to grant access to all Microsoft Teams protected APIs, even if your application only required a subset. [End of Update]

If you haven’t gained access to the protected APIs, when you attempt to process your Teams data, you’ll be greeted with the following error:

Failed to process team: <teamname> 
Invoked API requires Protected API access in application—only context when not using Resource Specific Consent. 
Visit https://docs.microsoft.com/en—us/graph/teams—protected—apis for more details.. 
The remote server returned an error: (403) Forbidden.

Microsoft’s Teams Export API is a Metered API, still in its Infancy

In addition to the potential delays from Microsoft’s manual approval process, Microsoft have also taken the approach that this API will be metered, aka, chargeable.

This does leave me with mixed feelings, as one of Microsoft’s justifications is that this approach will enable better funding of Microsoft Graph API endpoints to prevent throttling on the service, due to its pay-as-you-consume nature, and I can respect this. However, I do have some issues with the Metered API at present which I do wish would change.

Deduplication/Data Efficiency Not Included

Within the current release of Microsoft’s Teams Export API, duplicate messages are not truncated into a single API request & response. [Update 21/06/2022] I’ve had clarification from Veeam that the previous information I was supplied wasn’t 100% accurate. I’ve left it struck through for completeness of information. For example, if I had a Teams channel that had 1,000 members, and I posted a message within the channel, this message will be returned 1,000 times, once per member of the channel. On a metered API, this becomes expensive very quickly. Then if someone has replied? That’s another 1,000 requests serviced and billed. Within direct messages, which aren’t going to be supported by v6a, and instead via an unspecified future release, Microsoft’s API will be charging via the following formula:

(#NumberOfMessages * #NumberOfMessageRecipients) * $0.00075

Whereas for Teams channel posts and replies, these are stored within a Microsoft 365 group and so they aren’t subject to this issue at present, instead the formula to calculate message cost is simple:

#NumberOfMessages * $0.00075

[End of Update]

To Microsoft’s credit, they are aware of this as a feature request, and they hope to deliver this towards the beginning of 2023, however until the feature is GA, that’s just an estimate. We’d then also need to see if their implementation requires additional work from Veeam to implement, in which case we’d be awaiting a future update.

Will Teams chat data still be backed up incrementally?

One of the most alarming thoughts that springs to mind is, can we still process Teams data incrementally? And you’ll be pleased to hear you still can.

How much does this Teams Export API cost?

Before we get into the financials, it’s good to know the cost models that Microsoft are offering with this API. Microsoft have three license types, “model=A”, “model=B” and evaluation.

Evaluation licensing is limited to 500 messages per month, per app, and will be quickly consumed by nearly all organisations. “model=A” and “model=B” licensing cost the same, but with a key difference, seeded capacity. Before we get into this, know that Veeam is required to use “model=B” licensing, which doesn’t benefit from seeded capacity, but it’s still worth highlighting this, as I believe Microsoft should reconsider what is included in “model=A” licensing.

What is a seeded capacity?

For organisations that have licensed their users with appropriate E5 licenses, if they have an application that is licensed as “model=A”, they can get a certain volume of free API calls, per user, per month, per application. These API calls are pooled collectively for the organisation, and would make a huge difference for saving money.

Why can’t Veeam leverage seeded capacities?

Microsoft are restricting “model=A” access to security & compliance access only, even though an argument could surely be made that backup products are ensuring data compliance, but Microsoft appear to still need convincing. Whilst only customers leveraging E5 licenses would benefit from the seeded capacity, this would help those that do with their billing costs.

Microsoft API Price List

ScenarioModel ParameterLicensing RequirementChange Notifications API Seeded CapacityExport API Seeded CapacityConsumption Price (Per Message)
Security & ComplianceModel = AMicrosoft 365 E5 eligible license800 messages, per user, per month, per application (Pooled)1,600 messages, per user, per month, per application (Pooled)$0.00075
Non-Security & ComplianceModel = BNoneNoneNone$0.00075
EvaluationN/AN/A500 messages, per month, per app500 messages, per month, per appN/A

Microsoft’s licensing is due to change at any point, so please keep this in mind as you read this blog post, and whilst I’ve collated this table for your benefit, the most up-to-date information can be found at Microsoft’s documentation page for licensing, here.

How does the bill get paid?

The application is registered within Azure Active Directory, which, as part of your Azure tenant, means it can be associated with an Azure subscription, this is the billing mechanism that will be utilised by Microsoft to charge for API access.

Any estimates for average Teams API costs?

This will unfortunately vary dramatically by user and organisation, I’ve heard some daily users of Teams have generated enough requests that it has equated the cost of an M365 E3 or E5 license, it is certainly possible that this will become incredibly expensive.

What else do I need to know about the Veeam Backup for Microsoft 365 v6a upgrade?

There are a few more key insights that I want to share with you regarding this upgrade. Most importantly, when you upgrade to v6a, you will no longer be able to leverage the old backup mechanism for Teams, Veeam will only offer the Teams Export Graph API option, until you’re ready to use this, you need to stay on v6.

Veeam are unable to query whether access to the protected APIs have been granted, but to prevent accidental upgrades and data protection gaps, Veeam are providing call to action prompts during the Veeam upgrade process, and will be automatically disabling the processing of Teams chat data post-upgrade, with you having to opt-in to the processing of this data again, an example of how this will look within a job configuration is below:

New checkbox appears within job configuration window called "Teams chats", default unchecked. Provides additional description of "Teams chats backup requires using protected APIs and additional billing charges from Microsoft. For more information on pricing, see this Microsoft article."

It’s worth noting the link within the screenshot is the same link I have provided above for Microsoft licensing/pricing information.

Until this release is generally available, this can’t be guaranteed, but Veeam are intending to allow support for downgrading from v6a back to v6, should you need to back out of your upgrade process if you completed this prematurely.

It is strongly recommended to perform a data audit prior to utilising Microsoft Teams Export API to ensure you’ve scoped which Teams actually require protection, to help minimize this cost increase.

This all sounds like doom & gloom, any positives to take from this?

Sure! Whilst I disagree on the pricing, especially with regards to lack of data efficiency and the omission of any free/limited utilisation options available. Especially as Teams is only available with a paid license already, the Teams Export Graph API does bring the ability to process Teams direct messages in the future. Veeam don’t have any support for this yet, but Veeam intend to extend chat support as the API matures, to better protect your environments. This will potentially include 1:1 conversations, group chats, and meeting chats.

The Teams Export Graph API also provides the benefit of not relying on Exchange Online to read what is essentially, Microsoft’s backup copy of the Teams data, instead going to the Teams Cosmos DB-based message store. The utilisation of this API will start to make it easier to get data from different locations, providing better Teams protection overall.

It’s also worth noting that this impacts Teams ‘chat’ information only, the processing of channels, tabs, files & membership data, is all covered within existing APIs, and doesn’t require metered access, so this will remain protected by default upon upgrading. You might be wondering how we configure this, Veeam have enabled new processing options specifically for Teams, as per the screenshot below.

Veeam's Edit Processing Options screen, for Teams backup job editing. There are two checkboxes on the screen, a "Chats" checkbox, default unchecked, and a "Channels, tabs, files, membership" checkbox, default checked.

Finally, if you have no intention of protecting your Teams chat data, you don’t need to worry about upgrading to v6a, just install and Veeam will no longer process your Teams chat data. Please remember that you are likely currently backing up this chat data within any existing Teams backup jobs, so you will suddenly have a data protection gap.

What do I need to do now?

If you’re planning on protecting your Teams data, now or in the future, you should focus on submitting your application to Microsoft ASAP, to have the access approved prior to the upgrade. The link is available here.

You should conduct an audit as to which Teams require data protection, this will help reduce cost increases as a result of this API.

If you’re unhappy with this change, direct your feedback to Microsoft via any and all channels you have, this could set a dangerous precedent for Microsoft’s approach to Graph API access in the future. So, if you’re opposed to the path that Microsoft is taking, be sure to make your voice heard.

Read and bookmark the Veeam KB article, as Veeam will keep this KB updated as v6a approaches generally available.

How long do I have?

Veeam hope to have v6a available by August, though it will of course be ready, when its ready. This doesn’t mean you need to upgrade on day one, however Microsoft will be concentrating efforts to shut down the legacy access to this Teams data via Exchange from October 2022, though this could be subject to change. As a result, you should plan to be on v6a by October 2022.

2 responses to “Veeam Backup for Microsoft 365 v6a – Teams Export API Previewed”

  1. […] This release has been overshadowed by Microsoft’s controversial changes being made to the Teams backup process, forcing vendors such as Veeam to cease using EWS as a mechanism to backup Teams data, instead insisting on the use of the Teams Graph API. Why is this controversial? Because the Teams Graph API is billable per query. You can read more about this in my full blog post here. […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: