-
- Enthusiast
- Posts: 43
- Liked: 5 times
- Joined: Sep 02, 2014 3:06 pm
- Contact:
Issues authenticating
We initially set up VBO with a global admin account, but now we want to use an account of least privilege. I've created the account and set it up with the Sharepoint and Exchange permissions as outlined here, https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=20. When trying to use this account to connect VBO to our tenant I cannot get past the Connect to EWS and Microsoft Graph actions. EWS fails with HTTP status 401: Unauthorized and Microsoft Graph with Failed to get Microsoft Graph resource ID. As far as I can tell this new account is not set up to use MFA. We do have MFA turned on for the accounts we use to administer O365 but that's only about 4 accounts, everyone else isn't set up to use it. Am I missing an additional privilege or roll somewhere?
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: Issues authenticating
Hey Matt,
Are you doing this with version 2? Or trying this with the beta of version 3?
Are you doing this with version 2? Or trying this with the beta of version 3?
-
- Veeam Software
- Posts: 3195
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: Issues authenticating
Matt,
If you're running v2 with a non-MFA enabled account, it only requires username and password to authenticate to EWS and Graph, so it might be worth to ensure that you provide the correct credentials. Also, for the newly configured accounts, it takes some time to sync the changes in O365; if you use it immediately with VBO the authentication may fail.
If you're running v2 with a non-MFA enabled account, it only requires username and password to authenticate to EWS and Graph, so it might be worth to ensure that you provide the correct credentials. Also, for the newly configured accounts, it takes some time to sync the changes in O365; if you use it immediately with VBO the authentication may fail.
-
- Enthusiast
- Posts: 43
- Liked: 5 times
- Joined: Sep 02, 2014 3:06 pm
- Contact:
Re: Issues authenticating
Mike - Sorry, using version 2. You just dropped the beta and I didn't think to include the version.
Polina - I've verified the credentials. The account was made on Friday so I would hope that would be enough time. I was unsure what all was needed for EWS and Graph, but if it's just username and password I'll go back and dig deeper into the account to see what it's doing.
Polina - I've verified the credentials. The account was made on Friday so I would hope that would be enough time. I was unsure what all was needed for EWS and Graph, but if it's just username and password I'll go back and dig deeper into the account to see what it's doing.
-
- Veeam Software
- Posts: 3195
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: Issues authenticating
Matt,
If the credentials are correct and you can successfully login with this account to portal.office.com, then it might be something with your LAN proxy settings. In this case, it'd be best to open a support case and let our engineers verify the configuration.
If the credentials are correct and you can successfully login with this account to portal.office.com, then it might be something with your LAN proxy settings. In this case, it'd be best to open a support case and let our engineers verify the configuration.
-
- Enthusiast
- Posts: 43
- Liked: 5 times
- Joined: Sep 02, 2014 3:06 pm
- Contact:
Re: Issues authenticating
I can log into portal.office.com. Would the proxy settings affect two accounts differently because if I use the global admin account everything works as expected.
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: Issues authenticating
As you are getting a 401 Unauthorized result within Graph, it should/could mean 2 things:
- Wrong credentials
- Wrong permissions for the ApplicationImpersonation
I would suggest opening a support case as the logs will most likely tell more and they can assist you.
- Wrong credentials
- Wrong permissions for the ApplicationImpersonation
I would suggest opening a support case as the logs will most likely tell more and they can assist you.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: Issues authenticating
Matt,
I agree. One thing you should know is that when you can open the portal, it doesn't mean you have all the rights to the grap API. For example, see what you can do in the Azure AD admin portal. It might be that you are not allowed to do things over there.
I agree. One thing you should know is that when you can open the portal, it doesn't mean you have all the rights to the grap API. For example, see what you can do in the Azure AD admin portal. It might be that you are not allowed to do things over there.
-
- Enthusiast
- Posts: 43
- Liked: 5 times
- Joined: Sep 02, 2014 3:06 pm
- Contact:
Re: Issues authenticating
Ack, I forgot to post that I opened, and have since closed, a case; 03423925. It turned out it was the Conditional Access Policy. Apparently Office 365 and Azure AD don't quite work the way I thought they did, and when I was initially looking into the MFA status for the account it was saying it wasn't enabled. Turns out that particular page really only applies to tenants that don't have Azure AD licensing, and if you do have AAD licensing that page is ignored. I just wasn't familiar enough with some of the idiosyncrasies of O365/AAD to find exactly what I was looking for.
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: Issues authenticating
Matt,
Good to hear. Thanks for letting us know. I am sure some others will have the same issues at some point. I am not going to comment too much on AAD/ O365 but sometimes it is indeed rather difficult to figure out what portal to use, and depending on the portal, the procedures seem to be quite different also
Good to hear. Thanks for letting us know. I am sure some others will have the same issues at some point. I am not going to comment too much on AAD/ O365 but sometimes it is indeed rather difficult to figure out what portal to use, and depending on the portal, the procedures seem to be quite different also
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Nov 15, 2019 6:36 am
- Full Name: Euan Ramsay
- Contact:
Re: Issues authenticating
Yup, same issue here for me.
Account can logon to portal etc, but fails on Veeam.
Connect to Microsoft graph = OK
Connect to EWS = FAIL. HTTP status 401 error
Connect to Powershell = FAIL. The sign-in name or password does not match...
Account can logon to portal etc, but fails on Veeam.
Connect to Microsoft graph = OK
Connect to EWS = FAIL. HTTP status 401 error
Connect to Powershell = FAIL. The sign-in name or password does not match...
-
- Veeam Software
- Posts: 3195
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: Issues authenticating
Hi Euan and welcome to the Community!
To things to check first: 1) do you have legacy authentication protocols enabled? (more on this here) 2) are there any CA policies requiring an MFA in EWS?
Thanks
To things to check first: 1) do you have legacy authentication protocols enabled? (more on this here) 2) are there any CA policies requiring an MFA in EWS?
Thanks
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Feb 07, 2020 4:09 pm
- Full Name: Silvio Schädler
- Contact:
Re: Issues authenticating
Hi Together
I've only experience with VEEAM and ON-Prem solutions, thats my first try in VOB, i hope the question is no to dummy , but i don't find any solution on the web.
I've the same problem like silverburn:
Connect to Microsoft graph = OK
Connect to EWS = FAIL. HTTP status 401 error
Connect to Powershell = FAIL. By the Connect with the Remoteserver is the followed failure: permission denied.
Has anyone an idea? The right link or the solution. Thanks a lot.
Best regards
Silvio
I've only experience with VEEAM and ON-Prem solutions, thats my first try in VOB, i hope the question is no to dummy , but i don't find any solution on the web.
I've the same problem like silverburn:
Connect to Microsoft graph = OK
Connect to EWS = FAIL. HTTP status 401 error
Connect to Powershell = FAIL. By the Connect with the Remoteserver is the followed failure: permission denied.
Has anyone an idea? The right link or the solution. Thanks a lot.
Best regards
Silvio
-
- Veeam Software
- Posts: 3195
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: Issues authenticating
Hi Silvio and welcome to the Community!
VBO requires legacy authentication protocols to be enabled in the O365 tenant. If your tenant is using the Security Defaults, these protocols are disabled and VBO cannot connect to EWS and PowerShell. I'd start troubleshooting with this check.
Thanks!
VBO requires legacy authentication protocols to be enabled in the O365 tenant. If your tenant is using the Security Defaults, these protocols are disabled and VBO cannot connect to EWS and PowerShell. I'd start troubleshooting with this check.
Thanks!
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Feb 07, 2020 4:09 pm
- Full Name: Silvio Schädler
- Contact:
Re: Issues authenticating
Hey Polina,
Thank you so much for the hint, its function now.
I have deactivated the default policy (Printscreen https://bevioitservices.sharepoint.com/ ... w?e=m8fupd), maybe there is a way to assign with less authorization, unfortunately I do not have the time to test it . If someone knows a working variant with less rights assignment, please post it .
Thanks
Silvio
Thank you so much for the hint, its function now.
I have deactivated the default policy (Printscreen https://bevioitservices.sharepoint.com/ ... w?e=m8fupd), maybe there is a way to assign with less authorization, unfortunately I do not have the time to test it . If someone knows a working variant with less rights assignment, please post it .
Thanks
Silvio
-
- Veeam Software
- Posts: 3195
- Liked: 774 times
- Joined: Oct 21, 2011 11:22 am
- Full Name: Polina Vasileva
- Contact:
Re: Issues authenticating
Silvio,
We're working on some changes to simplify the process, but with no ETAs yet.
Thanks for getting back on this!
We're working on some changes to simplify the process, but with no ETAs yet.
Thanks for getting back on this!
Who is online
Users browsing this forum: No registered users and 9 guests