v3 - LegacyAuthProtocolIsEnabled still required?

[c.schulzejn]

I know, you have to use the API Microsoft provides. So pls don't be offended.
Microsoft on the other side is pushing us as a Microsoft Partner to use the Conditional Access - Policies. As I don't know if Veeam is aware of this, I'll post some screenshots for you.

https://partner.microsoft.com/en-us/pcv ... compliance

https://partner.microsoft.com/de-DE/res ... quirements#/

[nielsengelen]

We are aware of this but we (and Microsoft) are also aware that certain things are still not available via the new API’s and therefore we leverage the legacy path. So far this hasn’t cause any issues but we will continue to push and update as time goes on.

[Frohn]

Hello

My company are in the process of implementing VBO atm. and we have also stumbled upon the need for the SPO legacy protocol to be enabled.

We talked to our contacts at Veeam about and they gave us the solution mentioned in this forum thread.

We then decided to dig deep into the solution to see if was okay to implement (We are currently using CA).
I talked to a colleague of mine who is a Microsoft MVP in Enterprise mobility and asked him to look at the solution provided.
He then got back to me and told me - short version: "You cannot use CA to prevent the use of the legacy protocol, because the legacy protocol cannot handle CA enforcement. CA is a top-level security measure and when you enabled the legacy protocol in SPO, you can then bypass CA with just username & password"

My first response was, are you sure? - He then went a little further and ask a couple of other MVPs with in-depth knowledge of CA policy's and 3 of them told him that he was right in was he told me. One other MVP was not, and said the exact opposite.
He then went on to ask a Microsoft employee that works in the Intune team and he then confirm what the 3 other MVPs has told him.

We have now reached out to our contacts at Microsoft to get an answer on the question "Its's safe to enable the legacy protocol in SPO and then use CA to protect it" - We currently still waiting on the answer.

This is from a blog post regarding this topic:
Some cloud apps also support legacy authentication protocols. This applies, for example, to SharePoint Online and Exchange Online. When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a conditional access policy on this access attempt. To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps.
- This is taken from a Microsoft MVP (Enterprise mobility) - https://alberthoitingh.com/2018/04/26/m ... on-beware/ -
His source is: https://docs.microsoft.com/en-us/azure/ ... -practices

And that is basically confirms what we have been told so fare.

So, my question to you guys that have enabled the legacy protocol in SPO and are using CA to protect it. Do you have any confirmation from an official source that it's absolutely 100% safe? and it's not lowering your security standard?

[frankive]

*chewing popcorn on this*

[Mike Resseler]

Hey,

Sorry about my late reply... I have been a bit busy releasing lately . I disagree with the MVP on his statement. Having a legacy user / pwd with CA based on IP/ location seems very safe. But that said, we can continue the discussion what is safest and in that case the only outcome will be that you will need to do 2FA each time our service wants to connect to O365 (and you would need to do that with your outlook then also...). More importantly:

We are obviously aware that we need to come up with a solution so we can support connection without legacy authentication protocol. And we are actively working / researching this. However, it will come at a cost. Certain items won't be protected, and certain restores won't be possible. Maybe later they will become available again if we can do everything through Graph, but as of today, we need to work with CMOS (SPO / O4B) and EWS (Exchange Online). Because of these services, we are limited in certain things.

Hope that makes it a bit more clear

[Frohn]

Hey Mike

Thank you for taking the time to post an answer on the topic

The solution with CA based on IP / location and specif SA, is not that safe. It does prevent the protocol from being used by users, but CA doesn't work until after the authentication has been confirmed.

That means, if we do make use of the solution with CA, we have now just provide a platform to brute force attacks. Because everyone will be able to test the username & password against the legacy protocol, and when the password is guessed, CA will tell you that you can not get in.
So now an attacker knows the password of the user.

i'm aware that Veeam and Microsoft are working on resolving the need for the legacy protocol in the application.

[Mike Resseler]

Hmmm,

I didn't know that. If that is the case, I actually need to talk to MSFT, because that workflow is wrong. To me, authentication should not even be tried because the first thing that should be checked is CA

[Frohn]

Hey Mike

Thanks for the quick reply.

That is endeed the case. CA is happing "post-authentication" on the legacy protocol.

I'm currently working on get answer from MS on the topic about CA and the legacy protocol. If you decied to contact them, I would very much like to know the answer.

[Mike Resseler]

Yes, I will contact them, but since holiday season is started, I'm pretty sure it will take some time to get a response...

[c.schulzejn]

pls keep us posted.
Attacks on O365 / Azure are increasing

[frankive]

Does the cloud have holiday?

[Mike Resseler]

Frank... The cloud not so much... people behind it...

[c.schulzejn]

Quote from a recent partnermail from Microsoft:

• Blocking legacy authentication will not be enforced for partners at this time. However, as most events related to compromised identities come from sign-in attempts using legacy authentication, partners are encouraged to move away from these older protocols.

[Mike Resseler]

Hi Christoph,

Just to be clear on this. With legacy, they mean username / password. We do support MFA with app registration, which is encouraged here. But the fact remains that we still have some legacy protocols remaining

[Tarqy]

Do we have any update on this from Veeam/Microsoft? As mentioned earlier disabling of legacy authentication methods is being mandated for Microsoft Partners.

This is being done by enabling something they call Security Defaults (on the surface this looks like a set of free to use conditional access rules)

https://docs.microsoft.com/en-gb/azure/ ... entication

With this enabled backup no longer functions, I have seen documented workarounds that use custom conditional access policies but this would require the purchase of azure ad premium p2 licences so its not without costs.

The other thing in the linked document you may want to note is the following -

If your tenant was created on or after October 22nd, 2019, it’s possible you are experiencing the new secure-by-default behavior and already have security defaults enabled in your tenant. In an effort to protect all of our users, security defaults is being rolled out to all new tenants created.

This suggests security defaults will be coming to all tenants as a default and isn't something only being forced down the neck of Microsoft partners, albeit they would have the option to turn it off but you may see a serious uptick in support calls!

[nielsengelen]

Barry, no real update for now but we are well aware of this point. Once we know more, it will be shared here asap.

[m.novelli]

Do we have any update on this from Veeam/Microsoft? As mentioned earlier disabling of legacy authentication methods is being mandated for Microsoft Partners.
...

If your tenant was created on or after October 22nd, 2019, it’s possible you are experiencing the new secure-by-default behavior and already have security defaults enabled in your tenant. In an effort to protect all of our users, security defaults is being rolled out to all new tenants created.

This suggests security defaults will be coming to all tenants as a default and isn't something only being forced down the neck of Microsoft partners, albeit they would have the option to turn it off but you may see a serious uptick in support calls!

As a Microsoft Gold Partner I confirm that I have enabled "Security Default" on my Azure AD tenant , and VBO stopped working. VBO was already configured and working with Modern Authentication / MFA

I get two errors:

Connect to EWS: the request failed with HTTP status 401: unauthorized
Connect to Powershell: connect to outlook.office365.com failed , access denied

Marco

[Tarqy]

VBO365 requires legacy authentication protocols and app passwords (when using modern authentication) in order to work.

Security Defaults disables both of these and is exactly the reason I chased this up last week.

[Mike Resseler]

Barry,

We are working heavily to have a solution for this. However, if we will stop using legacy authentication protocols, we will suffer from functionality. I can't give a date yet, but know that we are working on such a solution. Also, at the same time, we are working with Microsoft to see how the functionality could return (but that will be the longer route I'm afraid...)

[m.novelli]

Thanks Mike! Would love to have back a set of minimal functionality, it's better than nothing... actually I cant run VBO at all with new Azure Security Settings for Microsoft Partners

Marco

[c.schulzejn]

[...]
With this enabled backup no longer functions, I have seen documented workarounds that use custom conditional access policies but this would require the purchase of azure ad premium p2 licences so its not without costs.
[...]

Are you sure about Azure AD Premium P2? I found this:
https://docs.microsoft.com/en-us/azure/ ... et-started

[...]
Azure AD Premium P1
For customers with Azure AD Premium P1 or similar licenses that include this functionality such as Enterprise Mobility + Security E3, Microsoft 365 F1, or Microsoft 365 E3:

The recommendation is to use Conditional Access policies for the best user experience.

Microsoft Silver Partner get 25 seats Enterprise Mobility Suite (E3) - regardless with competency they have. I took this information from the latest IRU file: 'License Table - Competency (November 4th 2019).docx'
AFAIK there is no Enterprise Mobility Suite (E3), only Enterprise Mobility Suite + Security (E3)

IMHO EMSS E3 would be enough!?
I did not have time evaluate the options or to search for a guide how to get VBO 365 running with Conditional Access policy along with being compliant with MS Partner.

@Tarqy do you have a guide and can publish it for us?

[m.novelli]

I have Office 365 E3 licenses, and enabling new Microsoft Azure Security Default broke VBO since in disable at all legacy protocols. Conditional access cant help, IMHO

Cheers, Marco

[kurt]

New user here, I was about to test out v4. Went through the MFA set up guide only to get stuck on this error "Check LegacyAuthProtocolsEnabled". I would rather have reduced functionality than enable legacy auth. Are there still plans to do that?

[nielsengelen]

Hi Robert, we are still looking into it as mentioned before but no update for now. We'll post here once we have more info.

[KSCSIT]

Having a legacy user / pwd with CA based on IP/ location seems very safe.

Have to disagree with that - If you whitelist your companies IP for legacy auth (So it bypasses the MFA check) this means that if you have an internal threat that gets hold of the user/pass by whatever means, they can wipe out your 365 tenant.

It does minimise the external risks, but it's an incredibly powerful account to leave without any form of internal MFA

[mats.jansson]

Hi Veeam
I'm a bit confused. In this forum you have wrote that Microsoft have not api support for modern auth on sharepoint and onedrive.
A potential new customer (we are a service provider and offering o365 backup in our datacenter) informed us that keepit can backup o365 only using modern auth.
How is that possible?
Why is this a big issue for us, the potential new customer have 3000 o365 users and 50 TB of data!
No modern auth, no new customers.
/Mats

[nielsengelen]

Mats, not everything we offer is available via modern auth so this is a limitation of the API. I merged your post with the ongoing discussion topic where updates are posted once they are available.

[mats.jansson]

Is there any roadmap when supporting modern auth all the way?
We want to keep using Weeam but we are losing this customer.

[nielsengelen]

The update is the same, we are fully looking into this but as Mike said, we will lose some functionality. No ETA for now.

[mats.jansson]

I totally agree with m.novelli, we are fine with only minimal functionality, just to get modern auth working all the way.