Veeam for Office 365 and Two Factor?

[postmaal]

We currently use two factor for Office 365. If I turn two factor off I am able to use my credentials to continue setting it up. If I try and use my regular login credentials, I cannot get past Connect to EWS, If I use an app password I get past Connect to EWS but fail connecting to powershell as "App Passwords are not available for use with PowerShell access to Office 365". Any suggestions?

Thanks,

[Mike Resseler]

Hi,

Can you create a special user that doesn't need to use two factor authentication? Like a global user that will be used for this solution?

Mike

[postmaal]

Thanks for the suggestion Mike,

We do use a non two-factor user for powershell as Microsoft, to the best of my knowledge, doesn't allow multi-factor auth with power shell sessions. Since it appears veeam leverages powershell to connect to 365 I'm going to have to use that same user for the backups. I don't like it but I can live with it and rely on a strict password. I'm beginning to realize this isn't a veeam issue but instead of Microsoft one. It does seem backwards to me that the powershell admin user (one who has access to everything) isn't allowed multi-factor authentication. I also don't like giving up such passwords to 3rd party applications.

[Mike Resseler]

Hi,

I can understand, but as you said yourself... This is something we can't control. Please let us know if this works. From our side, we will ask (but not for v1 anymore) Microsoft to see if this is something that can be solved.
For your information, your password and user is stored encrypted in our solution.

Cheers
Mike

[postmaal]

I was able to set it up with a non two-factor user. Overall fairly impressed playing around with the beta. Looking forward to the release.

Thanks,
Alex

[Mike Resseler]

Hi Alex,

Thanks for coming back to us. Appreciated!

Mike

[mcz]

From our side, we will ask (but not for v1 anymore) Microsoft to see if this is something that can be solved.

Mike, have you been able to contact Microsoft, what did they say? We have the same situation here that we would like to enable MFA but of course this would break our backup solution...

[Mike Resseler]

Hi Michael,

I never received reaction on my request but non-officially I was informed that this is not on the roadmap for them.

Sorry
Mike

[mcz]

Honestly I am surprised that Microsoft doesn't care about this topic because you will never be able to use MFA for this specific user - we are talking about security.

Anyway, thank you for this information and I will try to run veeam backup with a seperate user.

[mcz]

surprise, surprise. Switched on MFA for the admin and realized that powershell doesn't work anymore - it tells you "access denied" and using the app-password bringts you the message "app-password not allowed using powershell".
I found an article about powershell & MFA - so Microsoft supports MFA & powershell:

https://technet.microsoft.com/en-us/lib ... .160).aspx

Now I think that you can start to implement powershell & MFA in veeam??

[Mike Resseler]

Thanks for the information, it looks like some things recently have changed in that document. We will certainly investigate, but I am not going to make any promises at this moment.

[mcz]

Yeah Mike of course, I know that any promises will be difficult and maybe unrealistic. But it would be nice to hear anything from you when it has been decided if it will be implementet in future releases. Thank you!

[Mike Resseler]

Understood. I can say one thing for certain (unfortunately), the next minor version (1.5) won't support this as we are already in feature lock. But we will discuss it for our next major version

[boris.bahes]

Understood. I can say one thing for certain (unfortunately), the next minor version (1.5) won't support this as we are already in feature lock. But we will discuss it for our next major version

Discuss it? Seriously? I expect from Veeam, something like, Q4 2017 or Q1 2018.

[mcz]

Understood. I can say one thing for certain (unfortunately), the next minor version (1.5) won't support this as we are already in feature lock. But we will discuss it for our next major version

Mike, now since version 1.5 is available I guess the roadmap for the next release has been already discussed. Are there any news regarding MFA?

[Mike Resseler]

No news Michael at this moment

[stvajnkf]

I am currently using the competing product CodeTwo Backup for Office 365. I am comparing features with Veeam, and this feature is one of the few that CodeTwo has you beat. CodeTwo has had 2FA since Jan 29 2018. Can you share an estimated timeline for when this feature will be ready in Veeam backup for 365?

Thanks.

[Mike Resseler]

I have no timeline for this at this moment. But how do you do this for the account that connects as a service? Does it also use 2FA?

[stvajnkf]

I have no timeline for this at this moment. But how do you do this for the account that connects as a service? Does it also use 2FA?

I don't understand the question. I think the actual Office 365 admin credentials that CodeTwo uses to backup all our Office 365 accounts can have 2FA enabled in Office 365. Then in the backup program, instead of typing that user's normal 365 password, we would type the user's generated "app password". The benefit is that the actual admin password doesn't have to be stored anywhere in a 3rd party program, and the obvious benefits of 2FA on the website login.

The details are here: https://www.codetwo.com/kb/using-mfa-wi ... -software/

I actually don't use the 2FA feature yet, but I recently started looking at improving the security of our Office365 account, and that's when I learned that Veeam now has a Office365 backup program. I started comparing the feature list of both programs, and found that this 2FA is something I would like to start using, but can't if I switch to Veeam.

[Mike Resseler]

Thanks for the additional information. As said, I won't have this in the next version but the additional information is interesting for me to dive into further. In all honesty, 2FA for me makes sense for users, but I am not too familiar (yet ) with app passwords and their security. Something to learn about

[frankive]

"app passwords" is just a buypass of the 2fa and is NOT something you want to use. In that case Veeam (and all other clients wo can connect to an exchange account) does support MFA, which is not the case..

What you should do is buy Azure Ad Premium so you can use more advanced capabilites of the MFA like whitelite on your wan-ip. Then you can whitelist the ip where the backup is starting their connection, f.ex you Office 365 Backup server.

Just my 2 cents.

[Ruzaila]

Hoping this is not too late but I use App passwords on my Demo environment. Here are some of the issues I've encountered:

Just to paint a picture I have been playing with 2 admin accounts (2FA) and one semi admin account. Fully deployed on O365.
Account details:
Administrator@demo.com
User1@demo.com
reports@demo.com

* I initially configured this with User1. Not best practice to use a User account when configuring but I wanted to test changing accounts around. Through an arduous long process and cursing, it finally worked with App passwords.
* Time to swap things around! I edited the organization to configure as Administrator. The EWS Connection can be finicky and will time out with a 401 but Powershell will pass. Eventually it fixes itself. There is a KB out there for this (2440) but all it took for me was to exit the Configuration and attempt it again. I'll update if this causes backup issues but so far so good with a few tests.
* App passwords, although terrible for future setups/modifications might be the way to go for a highly secure environment. Just make sure that the address used for reporting is NOT using an app password. It really did not like my app password.
When you use an app password it throws a 5.7.60 SMTP error and I've tried multiple fixes even changing the SMTP to my "demo.mail.protection.outlook.com", port 25/587. I authenticated it against an account (reports) that does not require 2FA but has some other Admin rights on EAC.
* Probably not the right place to put this but attempting to connect to Powershell (not via Agent) to perform login tests did not work at all. I only tested this so I can attempt to understand why the Agent refused to add the organization.

I hope this helps!

[Mike Resseler]

Rose,

Thank you! This is great information. Our QC department is prepping the release so is very busy at this moment but once they get more time (which will probably be after release of v2) I will make sure they test this out as well!

Many thanks again!
Mike

[frankive]

why not use ip-whitelisting? as long as the data is encrypted in transit and rest, and you protect your environment for the public ip you should have a secure setup.

[stvajnkf]

As of version 2.0.0.567 and 11/12/2018, two-factor authentication is still not working for the main service account that lets Veeam connect to the Office 365 server. It fails when it tries to connect to Microsoft Graph, preventing me from going any further with the backup job setup.

[Polina]

Hi stvajnkf,

Version 2.0 (GA build 2.0.0.567) doesn't provide MFA support. We're working to implement it in the future releases.

[dyak]

Any ETA of future releases that will support MFA?

[Polina]

Hi @dyak,

We're targeting to have it live in H1 2019.

[frankive]

can anyone enlighten me the need for mfa-setup as long as you use an account where you only allow login from specific IPs?
With a Azure Premium PLan 1 mfa license you can buypass mfa for all other ips from your whitelist.

[Mike Resseler]

Frank,

Modern authentication can be a good thing for many people. For example, when my computer connects to O365 to download emails and files and whatever, it is from different IP's. Hotel rooms, airports, home office and so on so whitelisting won't be possible in my case. Now, your VBO solution will probably don't have that problem . So whitelisting in your case could be a very good thing to do and an additional defense. However, I see this as an additional defense and in combination with modern authentication will just enhance your security

My 2 cents
Mike