Maintain control of your Microsoft 365 data
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina » 1 person likes this post

We heard you loud and clear, and we're actively working on the solution atm.
c.schulzejn
Enthusiast
Posts: 53
Liked: 3 times
Joined: Oct 24, 2018 8:22 am
Full Name: Christoph Schulze
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by c.schulzejn »

I agree too.
If it's just some features, which prevent using modern auth, then make them optional or give a warning message, that feature X, Y and Z won't work with it.
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina » 1 person likes this post

Christoph,

That's noted!
mcbsys
Influencer
Posts: 19
Liked: 5 times
Joined: Sep 07, 2018 3:23 pm
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by mcbsys » 1 person likes this post

I too have been bitten by the forced downgrade from the "beta" baseline policies to the final all-or-nothing Security Defaults.

Thanks to this thread, I realized that as a Microsoft Action Pack partner, I have 5 Enterprise Mobility + Security E3 internal use licenses, which includes Azure AD Premium P1 (normally $6/user/month), which includes the ability to set up Conditional Access Policies (CAPs). After applying that to just one user in my tenant, the Add button is no longer grayed out and I can start adding CAPs. So I'm pretty sure I could get VBO working again by disabling Security Defaults, then setting up granular CAPs and allowing legacy auth for the VBO service account.

Also thanks to this thread, I'm not sure that's a good idea.

Not sure if this helps, but I haven't seen anyone mention here that Exchange Powershell now fully supports modern auth MFA. I guess I can't post links here, but you can find the Microsoft docs article by searching for "Connect to Exchange Online PowerShell using multi-factor authentication." It's inconvenient (requires installing a helper app), but it works. Of course that only requires temporary access whereas Veeam requires permanent, service-level access, so not sure if the tokens could be obtained and stored the same way.

In the opening entry for case 04009203, I've posted a link to a competitor's O365 backup app that as far as I know obtains and retains all its permissions through modern auth. It's basically a full screen of "Is it okay to give this app the following permissions?" Of course I don't know if Veeam needs permissions that the other app doesn't, or if the other app is excluding items that Veeam captures.

Looking forward to seeing Veeam's solution to this!
paulyberg
Lurker
Posts: 1
Liked: never
Joined: Feb 27, 2020 1:25 am
Full Name: Paul Youngberg
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by paulyberg »

My tenant doesn't even have access to use app passwords anymore, even with the "Allow users to create app passwords to sign in to non-browser apps" service setting enabled. If you enforce Multi-Factor Authentication through Conditional Access policies and not through per-user MFA, you cannot create app passwords. Applications that use Conditional Access policies to control access do not need app passwords. (https://docs.microsoft.com/en-us/azure/ ... -passwords) In fact, the preview version of the new AAD combined SSPR / MFA registration experience hides the option to create app passwords entirely, so it appears Microsoft is very close to disabling this option on tenants everywhere (https://docs.microsoft.com/en-us/azure/ ... r-combined)

Microsoft is completely disabling the legacy / basic auth methods in Exchange Online in October 2020, so keep in mind this will start to affect everyone very soon. (https://techcommunity.microsoft.com/t5/ ... -p/1191282)

As of now we've spent the last 6 months of our 12 month Veeam O365 subscription without O365 backups because of the problem with not being able to use app passwords.
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

Hi Paul,

VBO is getting ready for the changes and will be able to work without app passwords and legacy protocols. The functionality will remain as rich as Graph APIs allow to implement, but some limitations are inevitable.

In your case with CA policies, a workaround would have been first to manually enable your backup service account for MFA and create an app password before enabling the CA policies (based on what we were seeing in our labs).

Thanks!
jmerchan
Service Provider
Posts: 15
Liked: 3 times
Joined: Jul 05, 2010 8:12 am
Full Name: Jose
Contact:

[MERGED] enabling security defaults breaks backups

Post by jmerchan »

Hello.

We are Microsoft CSP partner, and Microsoft forced to all csp partners to enable Security Defaults before 29 February

But when we enabled Office365 Security Defaults, backups from Veeam for Office 365 v4 stopped working

Is there another Microsoft CSP Partner that resolved this issue?

Thanks, best regards
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

Hi Jose,

I merged your post to the relevant discussion.

To get your backups working again while staying compliant to Microsoft partner security requirements, you'll need to disable security defaults and configure a set of common CA policies instead. Make sure to exclude your VBO service account from the Block legacy authentication policy, since legacy protocols are currently required for VBO. Also, make sure to enable app passwords for your service account, as documented here.

Thanks!
jcl2rk
Lurker
Posts: 1
Liked: never
Joined: Mar 03, 2020 2:42 pm
Full Name: John Clark
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by jcl2rk »

I have ensured security defaults are disabled.
I made the policy that excludes vbo_account from legacy auth.
I'm still getting this error

"Check legacyAuthProtocolsEnabled: "center" is an unexpected token.
The expected token is "". Line 7, position 12.
Image

Any suggestion? Thanks!

Case #04019814
mamosorre84
Veeam Legend
Posts: 336
Liked: 34 times
Joined: Oct 24, 2016 3:56 pm
Full Name: Marco Sorrentino
Location: Ancona - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by mamosorre84 »

Polina wrote: Feb 28, 2020 12:09 pm Hi Jose,

I merged your post to the relevant discussion.

To get your backups working again while staying compliant to Microsoft partner security requirements, you'll need to disable security defaults and configure a set of common CA policies instead. Make sure to exclude your VBO service account from the Block legacy authentication policy, since legacy protocols are currently required for VBO. Also, make sure to enable app passwords for your service account, as documented here.

Thanks!
Hello Polina,

just to better understand..this change is due to Microsoft security requirements updated or something introduced with the VBO v4 version?

Before upgrade from v3 to v4 my backups worked fine, I don't know if it is just a coincidence..

Thanks

Marco S.
JamieRidgeway
Service Provider
Posts: 16
Liked: never
Joined: Mar 07, 2018 10:25 am
Full Name: Jamie Ridgeway
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by JamieRidgeway »

Hi,

With Microsoft depreciating basic authentication for Exchange Online in October 2020 I raised a support case to check if this would affect our tenants backups currently using basic authentication. It now sounds like this will affect all backups no matter if they are using basic or modern authentication, as both still utilise some kind of basic auth on the 365 side.

Can you advise if there will be an update that will avoid this causing a major problem with the product?

Kind regards
Jamie
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen »

Jamie, we are working hard on a solution for this sudden change. As you stated, it was ment for October but pushed forward by Microsoft.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
mamosorre84
Veeam Legend
Posts: 336
Liked: 34 times
Joined: Oct 24, 2016 3:56 pm
Full Name: Marco Sorrentino
Location: Ancona - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by mamosorre84 »

Hi,

I don't understand, also Veeam account with MFA is affected?

Thanks

Marco S.
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen »

It is a change on Microsoft’s side, not on Veeam. We will resolve this issue. If you are facing specific errors or issues, you should contact support for insight.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
mamosorre84
Veeam Legend
Posts: 336
Liked: 34 times
Joined: Oct 24, 2016 3:56 pm
Full Name: Marco Sorrentino
Location: Ancona - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by mamosorre84 »

Hi Niels,

I'm glad to hear you're working on it, but even if it is a change on the Microsoft side, it would be useful for Veeam users to have an official KB where the problem and the possible workaround are indicated, rather than wasting time opening tickets..

Marco S.
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen »

Marco, the reason why I mention using support is because you stated v3 was working and v4 isn't working but it isn't clear what error you are seeing and if it is related to this.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
mamosorre84
Veeam Legend
Posts: 336
Liked: 34 times
Joined: Oct 24, 2016 3:56 pm
Full Name: Marco Sorrentino
Location: Ancona - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by mamosorre84 »

Hi Niels,

the errors are:

Connect to EWS: The request failed with HTTP status 401: Unauthorized.
Connect to PowerShell: Connecting to remote server outlook.office365.com failed with the following error message : Access is denied

I'm using VBO265 latest patch (4.0.0.2516), and testing both with MFA and legacy account configured as https://www.veeam.com/kb2969

I'd like to understand if I'm in this "bug" or not.

If not, it makes sense to open a ticket..

Thanks

Marco S.
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen »

Marco, please open a ticket as this message can mean multiple things. I can't say if it is related to this change by Microsoft or not as this is most likely a configuration issue for the used account. Could you also give us the case ID once opened (can be in private message)?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
mamosorre84
Veeam Legend
Posts: 336
Liked: 34 times
Joined: Oct 24, 2016 3:56 pm
Full Name: Marco Sorrentino
Location: Ancona - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by mamosorre84 »

Ok, thank you :wink:
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

@mamosorre84,

This may be a coincidence if along with the VBO upgrade you have changed the security settings in your O365 Admin Center and enabled the new Security Defaults.
Please continue working with support engineers; we'll follow up on the investigation by your case ID.

Thanks!
thomas_ack
Service Provider
Posts: 5
Liked: never
Joined: Apr 11, 2019 9:32 am
Full Name: Thomas
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by thomas_ack »

we are facing the same issues. Veeam Case #04034139
We are hoping for a fast fix because we cannot change anything ourselfs. As already mentioned, Security defaults are mandatory for CSP partners and legacy auth is shut down completely for this tenant.
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina »

Tomas,

Following Microsoft documentation, security defaults are not mandatory for partners to stay compliant. The main requirement is to enable MFA for all users within a tenant with no exceptions.

However, we do understand your concerns and are working now to ensure the VBO support for any O365 tenants regardless of their configuration. The fix is coming soon, please stay tuned for updates here on forums.

Thanks!
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Polina » 2 people like this post

... it would be useful for Veeam users to have an official KB where the problem and the possible workaround are indicated...
Please refer to KB 3125 for more information on the workaround.
m.novelli
Veeam ProPartner
Posts: 504
Liked: 84 times
Joined: Dec 29, 2009 12:48 pm
Full Name: Marco Novelli
Location: Asti - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by m.novelli »

Hi guys, just got this newsletter from SkyKick competitor. Seems they are able to work even with Security Defaults turned on, thanks to an "Azure Active Directory Agent (AADA)"

Cheers

Dear Marco,

Security in the Cloud has become only more important recently with the dramatic acceleration of remote working scenarios. Over the past several years SkyKick’s focus has been developing the technology to protect your customers’ intellectual property through continued product innovation. Today, we are taking the next step in our commitment to security by transitioning from basic to modern authentication with the support of OAuth. This will allow Multi-Factor Authentication (MFA) to be enabled on all user accounts in Office 365.

Moving forward, when creating a new subscription on the SkyKick Partner Portal or most marketplaces, Office 365 global administrator credentials will be provided directly to Microsoft. This modern authentication flow installs the SkyKick Azure AD application for more secure access. Additionally, Cloud Backup introduced some minor user experience updates based on partner feedback. You can learn more about the latest Cloud Backup subscription management options here.

So, what do I need to do?

For all active subscriptions, SkyKick recommends that you enable Security Defaults on Office 365 tenants and change the password for the tenant’s global administrator account provided during initial subscription creation. There is no additional action required on your part. SkyKick has updated the subscriptions to support modern authentication.

What about subscriptions placed through marketplaces?

SkyKick is working closely with the marketplaces to help with the transition to modern authentication. In some marketplaces, the transition has already been completed. For these, global administrator credentials will be provided directly to Microsoft. However, with some you will still need to provide the global administrator credentials on their site using basic authentication. For those, once Cloud Backup has installed the Azure Active Directory Agent (AADA), those credentials are no longer required, so you can then change the administrator’s password and enable Security Defaults on Office 365 tenant. To get full list of marketplaces which support modern authentication, please see Marketplaces and authentication for Cloud Backup.
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen » 2 people like this post

Hi Marco, we are working on an update for this to support this change by Microsoft asap. We'll update this thread once it is available.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
m.novelli
Veeam ProPartner
Posts: 504
Liked: 84 times
Joined: Dec 29, 2009 12:48 pm
Full Name: Marco Novelli
Location: Asti - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by m.novelli »

Super!
m.novelli
Veeam ProPartner
Posts: 504
Liked: 84 times
Joined: Dec 29, 2009 12:48 pm
Full Name: Marco Novelli
Location: Asti - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by m.novelli » 1 person likes this post

Today I've upgraded to VBO 4.0.0.2516 (before I had build 4.0.0.1553) and I've tried again to connect to O365 with Security Defaults turned ON and... it worked! I don't know if Microsoft changed something on the backend

VBO is backupping right now my mailboxes, I'm super happy

Marco
mamosorre84
Veeam Legend
Posts: 336
Liked: 34 times
Joined: Oct 24, 2016 3:56 pm
Full Name: Marco Sorrentino
Location: Ancona - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by mamosorre84 » 1 person likes this post

I confirm it works now!

Waiting for Veeam official announcement.. :)

Marco S.
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mildur » 1 person likes this post

Microsoft has postponed the process of disabling Basic Auth to 2021. This could be the reason, that it‘s working again :) Something changed in the background, either if you have enabled or disabled security settings.

https://techcommunity.microsoft.com/t5/ ... M.facebook
Product Management Analyst @ Veeam Software
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » 2 people like this post

@Mildur Yep, we have seen the same news. We will look into this during this week to see what effectively has changed on the backend. If this is the case, it does has a few advantages:
* We are working on a full MFA support version (out soon) but it does come with a few limitations
* As an example, you will see that creating a job with dynamic distribution groups won't work anymore because we cannot query the information without basic auth. And there is other functionality that doesn't work because it is not available in the newest methods for query.
* We made MSFT aware of it, and they are very willing to work on it, but it obviously takes some time.
So basically, with this new deadline, there is a change that we will have full functionality again by 2021, while supporting the default security baseline very soon. Fingers crossed :-)
Post Reply

Who is online

Users browsing this forum: Semrush [Bot] and 14 guests