Following Microsoft's deprecation of ApplicationImpersonation, Veeam has released KB4708 (https://www.veeam.com/kb4708), explaining that Exchange Online data can now be restored using modern certificate-based authentication, which no longer requires assigning the ApplicationImpersonation role.
As a service provider, we have a specific question regarding this new method:
Typically, we configure an M365 server that our customers can access for various restore tasks which is not possible through the restore portal.
For our customers to perform restores using certificate-based authentication, the application registration certificate must have an exportable private key. If the key isn't exportable, it does not appear in the "Select certificate from the Certificate Store of this server" option. Our concern is that having a certificate with exportable private key, however the risk is probably low risk, could allow a malicious admin (either from the customer side or MSP) to export the certificate and potentially access the tenant remotely via PowerShell:
Connect-ExchangeOnline -CertificateThumbPrint "exported_certificate_thumbprint" -AppID "application_registration_ID" -Organization "tenantname.onmicrosoft.com"
Is there a way to configure this so that the certificate can be selected through the wizard without having an exportable private key?
We have logged a case (#07686331) allready, but so far no real alternative / workaround has been presented.
How are other MSP handling this new scenario?
-
dotdk
- Service Provider
- Posts: 64
- Liked: 20 times
- Joined: Jun 14, 2019 11:55 am
- Full Name: Thomas Lund
- Contact:
-
mjr.epicfail
- Veeam Legend
- Posts: 516
- Liked: 143 times
- Joined: Apr 22, 2022 12:14 pm
- Full Name: Danny de Heer
- Contact:
Re: Deprecation of ApplicationImpersonation - Certificate exportable private key.
hmm, isnt the requirement that the server HAS the private key, not that its exportable?
Afaik you can import / generate a certificate where you give the option that the key is nonexportable.
Could be understanding your post wrong tho.
Afaik you can import / generate a certificate where you give the option that the key is nonexportable.
Could be understanding your post wrong tho.
VMCE / Veeam Legend 2*
-
dotdk
- Service Provider
- Posts: 64
- Liked: 20 times
- Joined: Jun 14, 2019 11:55 am
- Full Name: Thomas Lund
- Contact:
Re: Deprecation of ApplicationImpersonation - Certificate exportable private key.
Problem is that if the key is NOT exportable, the certificate is not detected by the restore wizard when using the Modern Authentication (certificate-based) option.
Atleast that is the result of all our testing.
Atleast that is the result of all our testing.
Who is online
Users browsing this forum: Bing [Bot] and 62 guests