Maintain control of your Microsoft 365 data
ghires
Lurker
Posts: 2
Liked: never
Joined: Mar 15, 2019 12:50 pm
Full Name: Gary Hires
Contact:

v3 - LegacyAuthProtocolIsEnabled still required?

Post by ghires »

I am unable to tell if the newest VBO v3 completely supports MFA for ALL workloads. I followed the directions outlined here (https://tsmith.co/2019/add-org-to-veeam ... h-and-mfa/) - but I'm not able to get past the "Verifying connection and organization parameters". I'm receiving an error "Check LegacyAuthProtocolsEnabled: Legacy authentication protocols are probably disabled.". Also, if I understand correctly, if I enable the LegacyAuthProtocols with PowerShell - doesn't this affect our entire SharePoint? Isn't that the whole point of enabling MFA for my organization - to eliminate potential data breaches and access to our data via older, legacy protocols?
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

Hi Gary and welcome to the community!

While VBO v3 supports connecting to Office 365 with service accounts enabled for MFA, it indeed still requires legacy auth protocols set to enabled to be able to work with SharePoint ASMX services.
Please check this thread for more details.
ghires
Lurker
Posts: 2
Liked: never
Joined: Mar 15, 2019 12:50 pm
Full Name: Gary Hires
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by ghires »

Are there plans to remove the requirements for legacy auth in future versions of VBO?
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

It will be possible if at some point these services (and a few others as well) become accessible via API.
Steve-nIP
Service Provider
Posts: 117
Liked: 49 times
Joined: Feb 06, 2018 10:08 am
Full Name: Steve
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Steve-nIP »

I found out yesterday that SharePoint still absolutely requires LegacyAuthProtocols to be enabled in v3
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

That's correct.
wes@f1
Novice
Posts: 6
Liked: never
Joined: Apr 12, 2019 6:28 pm
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by wes@f1 »

That is disappointing. I'm a bit surprised that this is something that hasn't been worked out, though. We are currently using Barracuda Cloud-to-Cloud backup for SPO/ODB backups with legacy authentication for SPO disabled, and it continues to work fine. Their implementation is similar to the setup process for modern auth for VBO to register an Azure application, so I imagine the APIs they use should be available here too.
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Gostev » 1 person likes this post

No, these APIs really truly are not available through modern authentication. So, the fact that they are able to perform backup simply means they are not backing up everything that Veeam does (and you will find this out at restore).

Thinking more about this though, perhaps we should add a special backup mode [with a big warning sign] that only backs up stuff we can backup through APIs that do support modern authentication. What do you think about this idea?
wes@f1
Novice
Posts: 6
Liked: never
Joined: Apr 12, 2019 6:28 pm
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by wes@f1 »

@Gostev - I'd be interested to know what you can back up through the APIs that support modern auth. In Barracuda's case, I'm able to see all of the data I have stored across all SPO/OSB sites and successfully completed a few spot restores. I know that I don't get full fidelity site restore, but I get the contents. I did note in my test that I didn't get metadata (last modified date, modified by, etc.), but this is something we can live without. I guess I'm struggling to understand what I'm missing in my backup assuming that they can only interface with the same APIs you mention.

Regarding your suggestion - provided the data you CAN back up in your current implementation is meaningful, I don't think it is a bad move to add something like that with applicable warnings. I would probably find it more useful for documentation to specify specifically what is or what is not being backed up by that method, though.
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler »

@wes@f1

One example: ASMX files. These are used to create webservices in SharePoint. You can consider them legacy but in many cases they still exist and we need to support them for our customers.
wes@f1
Novice
Posts: 6
Liked: never
Joined: Apr 12, 2019 6:28 pm
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by wes@f1 »

@Mike Resseler - Thanks for the response. Can you clarify which question of mine you were providing an answer to? I realized I asked what Veeam could back up without the modern API and I also asked by extension what would not be included in that backup.
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler »

Actually both :-) (At least if I understood it correctly).

We strived to make sure that you can protect everything (which is API reachable) from O365 with both legacy authentication as with MFA. And as said, .ASMX files are webservices but you could call them extensions also. So if another vendor does not use the legacyauthprotocol, then those are excluded for sure. (You basically cannot query them in a modern way). But again, this is just one example, I requested the teams to create a list. And based on that list, we are going to discuss internally what to do with this.

We might (for example) decide to simply give a warning (something like: If you do not enable... then you will have no backups of A, B and C...). But it is early in my thinking (so please give us your ideas)
wes@f1
Novice
Posts: 6
Liked: never
Joined: Apr 12, 2019 6:28 pm
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by wes@f1 »

@Mike Resseler - Thanks for the clarification. I don't do SharePoint development myself, so I had to dig a bit to understand ASMX files, but it looks like they are associated with a deprecated API and that MS is pushing users toward using SOAP or REST instead. I'm curious if the items you aren't able to pick up with legacy authentication are related to deprecated areas. If that is true, it may not be prudent to attempt to back that information up by default. If you are able to share the list once it is created, I think it would help my understanding.

I like your suggestion on the option for a warning. I would envision it attempting modern auth first, generating the error that stops you, then acknowledging it with the notification about what can't be backed up before you can proceed.
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler »

Hey Wes,

This was discussed last week. We are indeed looking into the full list of what is not reachable through the modern way. Based on that list, we will use our data to see what is still used a lot (and we can't miss it in the backup) and what not. A solution won't be here quickly, but we are going to see what we can do for the next version.

The only thing that will always bother me in this story, is that some data won't be protected. And as an old school backup guy, I want to protect EVERYTHING :-)
Hydrogen
Novice
Posts: 8
Liked: 2 times
Joined: May 16, 2019 7:39 pm
Full Name: Darius
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Hydrogen »

What if we were to restrict legacy authentication access to just the VBO service account?

Microsoft's approach to disabling legacy authentication is to set a Conditional Access policy as mentioned throughout their Secure Score and Identity Protection Score screens. The process is described in detail in the TechNet blog link below. They do not mention disabling legacy authentication in SBO or EXO using PowerShell (even though you can).

An approach I just thought of would be to EXCLUDE the VBO service account from a organization-wide Conditional Access policy that *blocks* everyone else from using legacy authentication, *plus* a separate Conditional Access policy which *blocks* legacy authentication, but this time INCLUDES just the VBO service account *and* has a Location condition. The location is set to Include 'any' location *except* an EXCLUDED location of the public IP of the VBO server.

What this would effectively accomplish is:

1. Permit the VBO service account to use legacy authentication, but only from the designated IP address(es) in the second policy.
2. Block all other accounts from using legacy authentication, regardless of location.

https://blogs.technet.microsoft.com/clo ... protocols/

I would like to hear your thoughts on this approach.

-Darius
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

Hi Darius,

We didn't test this scenario, but if you have a chance to try it in your environment, we'd be very interested to know the results.

Thanks!
Hydrogen
Novice
Posts: 8
Liked: 2 times
Joined: May 16, 2019 7:39 pm
Full Name: Darius
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Hydrogen » 2 people like this post

Hello Polina (and others),

I have successfully implemented what I suggested in my previous post.

To assist Veeam and others, I have created a blog post about this with full, detailed instructions here:
https://www.liktorius.com/2019/07/17/pr ... m-vbo-365/

Warm Regards,
-Darius
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

Darius, can you please check if your link is correct? For me, it gives a 403 error.
Hydrogen
Novice
Posts: 8
Liked: 2 times
Joined: May 16, 2019 7:39 pm
Full Name: Darius
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Hydrogen »

Polina,

Yes, clicking directly on the link in my forum post sends me to the correct blog post. You should not be receiving a 403. Have you tried it from more than one computer/phone?

-Darius
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

I only tried it from one device. Now another attempt - from a different device and different network/country - ends up the same way.

Thanks
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler »

Unfortunately I can confirm that I get a 403 also... I tried to go to https://www.liktorius.com/ directly and search the post but the same...
Hydrogen
Novice
Posts: 8
Liked: 2 times
Joined: May 16, 2019 7:39 pm
Full Name: Darius
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Hydrogen »

Polina and Mike Resseler - Please try again.
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler »

Done. It works now! Thanks for this Darius, good stuff
olavl
Influencer
Posts: 13
Liked: 1 time
Joined: Jan 23, 2018 8:21 am
Full Name: OL
Contact:

[MERGED] Veam, O365 and modern auth vrs basic legacy.

Post by olavl »

Reading the blogpost regarding O365 MFA + Veeam there a couple of points I found problematic.

Example:
https://www.veeam.com/blog/setup-multi- ... e-365.html
"And last but not the least, to be able to protect text, images, files, video, dynamic content and more added to your SharePoint Online modern site pages, Veeam Backup for Microsoft Office 365 requires LegacyAuthProtocolsEnabled to be set to $True. This basic authentication protocol takes effect for all your SharePoint Online organization, but it is required to work with certain specific services, such as ASMX."
....
"• AllowBasicAuthPowershell protocol must be enabled for your Veeam service account"


We very much would like to go all modern auth and disable legacy basic authentication. If I am reading this correct, that is not possible if we use Veeam to backup O365.
Are there any plans to remove the use of legaic basic authentication?
olavl
Influencer
Posts: 13
Liked: 1 time
Joined: Jan 23, 2018 8:21 am
Full Name: OL
Contact:

Re: Veam, O365 and modern auth vrs basic legacy.

Post by olavl »

Why basic is bad?
https://docs.microsoft.com/en-us/dotnet ... core-6.2.0
"Conversely, Basic authentication sends a Base 64 encoded password, essentially in clear text, across the network."
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Veam, O365 and modern auth vrs basic legacy.

Post by Polina »

Hi Olav,

First, I'm moving your posts to another thread where the similar questions are discussed.

Next, as you can see from the above posts here, legacy auth protocols are now required for VBO, but we understand your concerns and will drop this requirement as soon as its technically possible.

Also, when using basic authentication and connecting to any of the O365 endpoints, VBO encrypts all data in-transit using SSL.
Chris.Nicholls
Lurker
Posts: 1
Liked: never
Joined: Sep 25, 2019 2:12 pm
Full Name: Chris Nicholls
Contact:

[MERGED] Microsoft CSP and MFA + Block Legacy Auth for Backing Up

Post by Chris.Nicholls »

Trying to Use Modern Auth to Back up O365 and SharePoint appears to be hardcoded to have Legacy Auth Enabled. This means we cannot back up our OneDrive/SharePoint.

Exchange Online allows us to connect and backup with Legacy Auth on but once disabled and using Modern Auth it is failing. Microsoft Graph connects but the Microsoft Exchange and PowerShell fails with 401 Unauthorized.

Microsoft mandate all CSP have Legacy Auth disabled and MFA is on for ALL users

https://support.microsoft.com/en-us/hel ... basic-auth

Support ID: 03606008
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

Hi Chris and welcome to Veeam Forums!

I moved your topic to the existing thread where the similar challenges are discussed. Please take a moment to review the above posts and this suggestion on how to configure CAP for a VBO account.

Thanks!
c.schulzejn
Enthusiast
Posts: 53
Liked: 3 times
Joined: Oct 24, 2018 8:22 am
Full Name: Christoph Schulze
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by c.schulzejn »

Any news on that?
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

Hi Christoph,

There's not that much to share, as these requirements are still relevant.
Post Reply

Who is online

Users browsing this forum: justin.hendren and 19 guests