Following Microsoft's deprecation of ApplicationImpersonation, Veeam has released KB4708 (https://www.veeam.com/kb4708), explaining that Exchange Online data can now be restored using modern certificate-based authentication, which no longer requires assigning the ApplicationImpersonation role.
As a service provider, we have a specific question regarding this new method:
Typically, we configure an M365 server that our customers can access for various restore tasks which is not possible through the restore portal.
For our customers to perform restores using certificate-based authentication, the application registration certificate must have an exportable private key. If the key isn't exportable, it does not appear in the "Select certificate from the Certificate Store of this server" option. Our concern is that having a certificate with exportable private key, however the risk is probably low risk, could allow a malicious admin (either from the customer side or MSP) to export the certificate and potentially access the tenant remotely via PowerShell:
Connect-ExchangeOnline -CertificateThumbPrint "exported_certificate_thumbprint" -AppID "application_registration_ID" -Organization "tenantname.onmicrosoft.com"
Is there a way to configure this so that the certificate can be selected through the wizard without having an exportable private key?
We have logged a case (#07686331) allready, but so far no real alternative / workaround has been presented.
How are other MSP handling this new scenario?
-
dotdk
- Service Provider
- Posts: 63
- Liked: 20 times
- Joined: Jun 14, 2019 11:55 am
- Full Name: Thomas Lund
- Contact:
Who is online
Users browsing this forum: No registered users and 601 guests