-
- Lurker
- Posts: 2
- Liked: never
- Joined: Mar 15, 2019 12:50 pm
- Full Name: Gary Hires
- Contact:
v3 - LegacyAuthProtocolIsEnabled still required?
I am unable to tell if the newest VBO v3 completely supports MFA for ALL workloads. I followed the directions outlined here (https://tsmith.co/2019/add-org-to-veeam ... h-and-mfa/) - but I'm not able to get past the "Verifying connection and organization parameters". I'm receiving an error "Check LegacyAuthProtocolsEnabled: Legacy authentication protocols are probably disabled.". Also, if I understand correctly, if I enable the LegacyAuthProtocols with PowerShell - doesn't this affect our entire SharePoint? Isn't that the whole point of enabling MFA for my organization - to eliminate potential data breaches and access to our data via older, legacy protocols?
-
- Veeam Software
- Posts: 3191
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hi Gary and welcome to the community!
While VBO v3 supports connecting to Office 365 with service accounts enabled for MFA, it indeed still requires legacy auth protocols set to enabled to be able to work with SharePoint ASMX services.
Please check this thread for more details.
While VBO v3 supports connecting to Office 365 with service accounts enabled for MFA, it indeed still requires legacy auth protocols set to enabled to be able to work with SharePoint ASMX services.
Please check this thread for more details.
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Mar 15, 2019 12:50 pm
- Full Name: Gary Hires
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Are there plans to remove the requirements for legacy auth in future versions of VBO?
-
- Veeam Software
- Posts: 3191
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
It will be possible if at some point these services (and a few others as well) become accessible via API.
-
- Service Provider
- Posts: 129
- Liked: 59 times
- Joined: Feb 06, 2018 10:08 am
- Full Name: Steve
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
I found out yesterday that SharePoint still absolutely requires LegacyAuthProtocols to be enabled in v3
-
- Veeam Software
- Posts: 3191
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
That's correct.
-
- Novice
- Posts: 6
- Liked: never
- Joined: Apr 12, 2019 6:28 pm
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
That is disappointing. I'm a bit surprised that this is something that hasn't been worked out, though. We are currently using Barracuda Cloud-to-Cloud backup for SPO/ODB backups with legacy authentication for SPO disabled, and it continues to work fine. Their implementation is similar to the setup process for modern auth for VBO to register an Azure application, so I imagine the APIs they use should be available here too.
-
- Chief Product Officer
- Posts: 31796
- Liked: 7297 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
No, these APIs really truly are not available through modern authentication. So, the fact that they are able to perform backup simply means they are not backing up everything that Veeam does (and you will find this out at restore).
Thinking more about this though, perhaps we should add a special backup mode [with a big warning sign] that only backs up stuff we can backup through APIs that do support modern authentication. What do you think about this idea?
Thinking more about this though, perhaps we should add a special backup mode [with a big warning sign] that only backs up stuff we can backup through APIs that do support modern authentication. What do you think about this idea?
-
- Novice
- Posts: 6
- Liked: never
- Joined: Apr 12, 2019 6:28 pm
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
@Gostev - I'd be interested to know what you can back up through the APIs that support modern auth. In Barracuda's case, I'm able to see all of the data I have stored across all SPO/OSB sites and successfully completed a few spot restores. I know that I don't get full fidelity site restore, but I get the contents. I did note in my test that I didn't get metadata (last modified date, modified by, etc.), but this is something we can live without. I guess I'm struggling to understand what I'm missing in my backup assuming that they can only interface with the same APIs you mention.
Regarding your suggestion - provided the data you CAN back up in your current implementation is meaningful, I don't think it is a bad move to add something like that with applicable warnings. I would probably find it more useful for documentation to specify specifically what is or what is not being backed up by that method, though.
Regarding your suggestion - provided the data you CAN back up in your current implementation is meaningful, I don't think it is a bad move to add something like that with applicable warnings. I would probably find it more useful for documentation to specify specifically what is or what is not being backed up by that method, though.
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
@wes@f1
One example: ASMX files. These are used to create webservices in SharePoint. You can consider them legacy but in many cases they still exist and we need to support them for our customers.
One example: ASMX files. These are used to create webservices in SharePoint. You can consider them legacy but in many cases they still exist and we need to support them for our customers.
-
- Novice
- Posts: 6
- Liked: never
- Joined: Apr 12, 2019 6:28 pm
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
@Mike Resseler - Thanks for the response. Can you clarify which question of mine you were providing an answer to? I realized I asked what Veeam could back up without the modern API and I also asked by extension what would not be included in that backup.
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Actually both (At least if I understood it correctly).
We strived to make sure that you can protect everything (which is API reachable) from O365 with both legacy authentication as with MFA. And as said, .ASMX files are webservices but you could call them extensions also. So if another vendor does not use the legacyauthprotocol, then those are excluded for sure. (You basically cannot query them in a modern way). But again, this is just one example, I requested the teams to create a list. And based on that list, we are going to discuss internally what to do with this.
We might (for example) decide to simply give a warning (something like: If you do not enable... then you will have no backups of A, B and C...). But it is early in my thinking (so please give us your ideas)
We strived to make sure that you can protect everything (which is API reachable) from O365 with both legacy authentication as with MFA. And as said, .ASMX files are webservices but you could call them extensions also. So if another vendor does not use the legacyauthprotocol, then those are excluded for sure. (You basically cannot query them in a modern way). But again, this is just one example, I requested the teams to create a list. And based on that list, we are going to discuss internally what to do with this.
We might (for example) decide to simply give a warning (something like: If you do not enable... then you will have no backups of A, B and C...). But it is early in my thinking (so please give us your ideas)
-
- Novice
- Posts: 6
- Liked: never
- Joined: Apr 12, 2019 6:28 pm
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
@Mike Resseler - Thanks for the clarification. I don't do SharePoint development myself, so I had to dig a bit to understand ASMX files, but it looks like they are associated with a deprecated API and that MS is pushing users toward using SOAP or REST instead. I'm curious if the items you aren't able to pick up with legacy authentication are related to deprecated areas. If that is true, it may not be prudent to attempt to back that information up by default. If you are able to share the list once it is created, I think it would help my understanding.
I like your suggestion on the option for a warning. I would envision it attempting modern auth first, generating the error that stops you, then acknowledging it with the notification about what can't be backed up before you can proceed.
I like your suggestion on the option for a warning. I would envision it attempting modern auth first, generating the error that stops you, then acknowledging it with the notification about what can't be backed up before you can proceed.
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hey Wes,
This was discussed last week. We are indeed looking into the full list of what is not reachable through the modern way. Based on that list, we will use our data to see what is still used a lot (and we can't miss it in the backup) and what not. A solution won't be here quickly, but we are going to see what we can do for the next version.
The only thing that will always bother me in this story, is that some data won't be protected. And as an old school backup guy, I want to protect EVERYTHING
This was discussed last week. We are indeed looking into the full list of what is not reachable through the modern way. Based on that list, we will use our data to see what is still used a lot (and we can't miss it in the backup) and what not. A solution won't be here quickly, but we are going to see what we can do for the next version.
The only thing that will always bother me in this story, is that some data won't be protected. And as an old school backup guy, I want to protect EVERYTHING
-
- Novice
- Posts: 8
- Liked: 2 times
- Joined: May 16, 2019 7:39 pm
- Full Name: Darius
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
What if we were to restrict legacy authentication access to just the VBO service account?
Microsoft's approach to disabling legacy authentication is to set a Conditional Access policy as mentioned throughout their Secure Score and Identity Protection Score screens. The process is described in detail in the TechNet blog link below. They do not mention disabling legacy authentication in SBO or EXO using PowerShell (even though you can).
An approach I just thought of would be to EXCLUDE the VBO service account from a organization-wide Conditional Access policy that *blocks* everyone else from using legacy authentication, *plus* a separate Conditional Access policy which *blocks* legacy authentication, but this time INCLUDES just the VBO service account *and* has a Location condition. The location is set to Include 'any' location *except* an EXCLUDED location of the public IP of the VBO server.
What this would effectively accomplish is:
1. Permit the VBO service account to use legacy authentication, but only from the designated IP address(es) in the second policy.
2. Block all other accounts from using legacy authentication, regardless of location.
https://blogs.technet.microsoft.com/clo ... protocols/
I would like to hear your thoughts on this approach.
-Darius
Microsoft's approach to disabling legacy authentication is to set a Conditional Access policy as mentioned throughout their Secure Score and Identity Protection Score screens. The process is described in detail in the TechNet blog link below. They do not mention disabling legacy authentication in SBO or EXO using PowerShell (even though you can).
An approach I just thought of would be to EXCLUDE the VBO service account from a organization-wide Conditional Access policy that *blocks* everyone else from using legacy authentication, *plus* a separate Conditional Access policy which *blocks* legacy authentication, but this time INCLUDES just the VBO service account *and* has a Location condition. The location is set to Include 'any' location *except* an EXCLUDED location of the public IP of the VBO server.
What this would effectively accomplish is:
1. Permit the VBO service account to use legacy authentication, but only from the designated IP address(es) in the second policy.
2. Block all other accounts from using legacy authentication, regardless of location.
https://blogs.technet.microsoft.com/clo ... protocols/
I would like to hear your thoughts on this approach.
-Darius
-
- Veeam Software
- Posts: 3191
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hi Darius,
We didn't test this scenario, but if you have a chance to try it in your environment, we'd be very interested to know the results.
Thanks!
We didn't test this scenario, but if you have a chance to try it in your environment, we'd be very interested to know the results.
Thanks!
-
- Novice
- Posts: 8
- Liked: 2 times
- Joined: May 16, 2019 7:39 pm
- Full Name: Darius
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hello Polina (and others),
I have successfully implemented what I suggested in my previous post.
To assist Veeam and others, I have created a blog post about this with full, detailed instructions here:
https://www.liktorius.com/2019/07/17/pr ... m-vbo-365/
Warm Regards,
-Darius
I have successfully implemented what I suggested in my previous post.
To assist Veeam and others, I have created a blog post about this with full, detailed instructions here:
https://www.liktorius.com/2019/07/17/pr ... m-vbo-365/
Warm Regards,
-Darius
-
- Veeam Software
- Posts: 3191
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Darius, can you please check if your link is correct? For me, it gives a 403 error.
-
- Novice
- Posts: 8
- Liked: 2 times
- Joined: May 16, 2019 7:39 pm
- Full Name: Darius
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Polina,
Yes, clicking directly on the link in my forum post sends me to the correct blog post. You should not be receiving a 403. Have you tried it from more than one computer/phone?
-Darius
Yes, clicking directly on the link in my forum post sends me to the correct blog post. You should not be receiving a 403. Have you tried it from more than one computer/phone?
-Darius
-
- Veeam Software
- Posts: 3191
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
I only tried it from one device. Now another attempt - from a different device and different network/country - ends up the same way.
Thanks
Thanks
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Unfortunately I can confirm that I get a 403 also... I tried to go to https://www.liktorius.com/ directly and search the post but the same...
-
- Novice
- Posts: 8
- Liked: 2 times
- Joined: May 16, 2019 7:39 pm
- Full Name: Darius
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Polina and Mike Resseler - Please try again.
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Done. It works now! Thanks for this Darius, good stuff
-
- Influencer
- Posts: 13
- Liked: 1 time
- Joined: Jan 23, 2018 8:21 am
- Full Name: OL
- Contact:
[MERGED] Veam, O365 and modern auth vrs basic legacy.
Reading the blogpost regarding O365 MFA + Veeam there a couple of points I found problematic.
Example:
https://www.veeam.com/blog/setup-multi- ... e-365.html
"And last but not the least, to be able to protect text, images, files, video, dynamic content and more added to your SharePoint Online modern site pages, Veeam Backup for Microsoft Office 365 requires LegacyAuthProtocolsEnabled to be set to $True. This basic authentication protocol takes effect for all your SharePoint Online organization, but it is required to work with certain specific services, such as ASMX."
....
"• AllowBasicAuthPowershell protocol must be enabled for your Veeam service account"
We very much would like to go all modern auth and disable legacy basic authentication. If I am reading this correct, that is not possible if we use Veeam to backup O365.
Are there any plans to remove the use of legaic basic authentication?
Example:
https://www.veeam.com/blog/setup-multi- ... e-365.html
"And last but not the least, to be able to protect text, images, files, video, dynamic content and more added to your SharePoint Online modern site pages, Veeam Backup for Microsoft Office 365 requires LegacyAuthProtocolsEnabled to be set to $True. This basic authentication protocol takes effect for all your SharePoint Online organization, but it is required to work with certain specific services, such as ASMX."
....
"• AllowBasicAuthPowershell protocol must be enabled for your Veeam service account"
We very much would like to go all modern auth and disable legacy basic authentication. If I am reading this correct, that is not possible if we use Veeam to backup O365.
Are there any plans to remove the use of legaic basic authentication?
-
- Influencer
- Posts: 13
- Liked: 1 time
- Joined: Jan 23, 2018 8:21 am
- Full Name: OL
- Contact:
Re: Veam, O365 and modern auth vrs basic legacy.
Why basic is bad?
https://docs.microsoft.com/en-us/dotnet ... core-6.2.0
"Conversely, Basic authentication sends a Base 64 encoded password, essentially in clear text, across the network."
https://docs.microsoft.com/en-us/dotnet ... core-6.2.0
"Conversely, Basic authentication sends a Base 64 encoded password, essentially in clear text, across the network."
-
- Veeam Software
- Posts: 3191
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: Veam, O365 and modern auth vrs basic legacy.
Hi Olav,
First, I'm moving your posts to another thread where the similar questions are discussed.
Next, as you can see from the above posts here, legacy auth protocols are now required for VBO, but we understand your concerns and will drop this requirement as soon as its technically possible.
Also, when using basic authentication and connecting to any of the O365 endpoints, VBO encrypts all data in-transit using SSL.
First, I'm moving your posts to another thread where the similar questions are discussed.
Next, as you can see from the above posts here, legacy auth protocols are now required for VBO, but we understand your concerns and will drop this requirement as soon as its technically possible.
Also, when using basic authentication and connecting to any of the O365 endpoints, VBO encrypts all data in-transit using SSL.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Sep 25, 2019 2:12 pm
- Full Name: Chris Nicholls
- Contact:
[MERGED] Microsoft CSP and MFA + Block Legacy Auth for Backing Up
Trying to Use Modern Auth to Back up O365 and SharePoint appears to be hardcoded to have Legacy Auth Enabled. This means we cannot back up our OneDrive/SharePoint.
Exchange Online allows us to connect and backup with Legacy Auth on but once disabled and using Modern Auth it is failing. Microsoft Graph connects but the Microsoft Exchange and PowerShell fails with 401 Unauthorized.
Microsoft mandate all CSP have Legacy Auth disabled and MFA is on for ALL users
https://support.microsoft.com/en-us/hel ... basic-auth
Support ID: 03606008
Exchange Online allows us to connect and backup with Legacy Auth on but once disabled and using Modern Auth it is failing. Microsoft Graph connects but the Microsoft Exchange and PowerShell fails with 401 Unauthorized.
Microsoft mandate all CSP have Legacy Auth disabled and MFA is on for ALL users
https://support.microsoft.com/en-us/hel ... basic-auth
Support ID: 03606008
-
- Veeam Software
- Posts: 3191
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hi Chris and welcome to Veeam Forums!
I moved your topic to the existing thread where the similar challenges are discussed. Please take a moment to review the above posts and this suggestion on how to configure CAP for a VBO account.
Thanks!
I moved your topic to the existing thread where the similar challenges are discussed. Please take a moment to review the above posts and this suggestion on how to configure CAP for a VBO account.
Thanks!
-
- Enthusiast
- Posts: 53
- Liked: 3 times
- Joined: Oct 24, 2018 8:22 am
- Full Name: Christoph Schulze
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Any news on that?
-
- Veeam Software
- Posts: 3191
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hi Christoph,
There's not that much to share, as these requirements are still relevant.
There's not that much to share, as these requirements are still relevant.
Who is online
Users browsing this forum: No registered users and 19 guests