Hello,
It is currently not possible to enable 2FA protection on the account used to connect to Office 365 resources.
We've enabled Modern Authentication in Veeam Backup for Office 365, but this doesn't enforce extra protection on this account.
Our company policy enforces us to protect all external accounts with 2FA, but this account (which needs to be SharePoint admin & Exchange admin) cannot be enabled for 2FA because otherwise, Veeam Backup for Office 365 cannot connect.
So, would it be possible to enlist this as a feature request?
Many thanks,
Sven
-
sevasofico
- Lurker
- Posts: 2
- Liked: never
- Joined: May 14, 2019 11:54 am
- Full Name: Sven Van den Broeck
- Contact:
-
Mike Resseler
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: Feature Request: 2FA protection Office 365 account
Hi Sven,
First: Welcome to the forums
Second: I am not sure if I understand this. MFA which we use is double authentication. 2FA (which I assume you mean username/ password and then sms or similar as second authentication) won't work because you will need to perform an action each time a backup job needs to run. That won't be pleasant for the backup admin
. The MFA with app password is specifically created for this.
First: Welcome to the forums
Second: I am not sure if I understand this. MFA which we use is double authentication. 2FA (which I assume you mean username/ password and then sms or similar as second authentication) won't work because you will need to perform an action each time a backup job needs to run. That won't be pleasant for the backup admin
. The MFA with app password is specifically created for this.-
sevasofico
- Lurker
- Posts: 2
- Liked: never
- Joined: May 14, 2019 11:54 am
- Full Name: Sven Van den Broeck
- Contact:
Re: Feature Request: 2FA protection Office 365 account
Hi Mike,
I agree the connection of Veeam Backup for Office 365 is secure with proper MFA (modern authentication).
But at the same time, it leaves the account used to connect exposed in Office 365 itself, because it can still be used to connect to Office 365 (with SharePoint & Exchange admin permissions) outside of Veeam.
Is there some way to either limit the account so it can only be used for Veeam or either to allow accounts with 2FA enabled within Veeam?
Microsoft uses a principle where you can trust a "device", so I guess our backup-server could be added as a trusted device?
That way, only the first time I would have to be required to perform double authentication.
Hopefully, this has clarified my question a bit?
I agree the connection of Veeam Backup for Office 365 is secure with proper MFA (modern authentication).
But at the same time, it leaves the account used to connect exposed in Office 365 itself, because it can still be used to connect to Office 365 (with SharePoint & Exchange admin permissions) outside of Veeam.
Is there some way to either limit the account so it can only be used for Veeam or either to allow accounts with 2FA enabled within Veeam?
Microsoft uses a principle where you can trust a "device", so I guess our backup-server could be added as a trusted device?
That way, only the first time I would have to be required to perform double authentication.
Hopefully, this has clarified my question a bit?
-
Mike Resseler
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: Feature Request: 2FA protection Office 365 account
I think I understand it now...
One of the things that I have been told by customers is that they (for example) use still basic authentication (which is still possible with O365) but use conditional access to limit the access from a specific location (the VBO server) or something similar. Would that help? By the way, if you enable it with 2FA but apply the modern authentication on it, it should work? Have you seen the whitepaper where we described the entire process? One of the things is that you still need to do this 2FA the first time (if I am not mistaken) during setup of the account.
The WP: https://www.veeam.com/wp-modern-authent ... ce-v3.html (Page 10 it starts). Hope it helps
One of the things that I have been told by customers is that they (for example) use still basic authentication (which is still possible with O365) but use conditional access to limit the access from a specific location (the VBO server) or something similar. Would that help? By the way, if you enable it with 2FA but apply the modern authentication on it, it should work? Have you seen the whitepaper where we described the entire process? One of the things is that you still need to do this 2FA the first time (if I am not mistaken) during setup of the account.
The WP: https://www.veeam.com/wp-modern-authent ... ce-v3.html (Page 10 it starts). Hope it helps
Who is online
Users browsing this forum: No registered users and 7 guests