Issues authenticating

[mlange]

We initially set up VBO with a global admin account, but now we want to use an account of least privilege. I've created the account and set it up with the Sharepoint and Exchange permissions as outlined here, https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=20. When trying to use this account to connect VBO to our tenant I cannot get past the Connect to EWS and Microsoft Graph actions. EWS fails with HTTP status 401: Unauthorized and Microsoft Graph with Failed to get Microsoft Graph resource ID. As far as I can tell this new account is not set up to use MFA. We do have MFA turned on for the accounts we use to administer O365 but that's only about 4 accounts, everyone else isn't set up to use it. Am I missing an additional privilege or roll somewhere?

[Mike Resseler]

Hey Matt,
Are you doing this with version 2? Or trying this with the beta of version 3?

[Polina]

Matt,

If you're running v2 with a non-MFA enabled account, it only requires username and password to authenticate to EWS and Graph, so it might be worth to ensure that you provide the correct credentials. Also, for the newly configured accounts, it takes some time to sync the changes in O365; if you use it immediately with VBO the authentication may fail.

[mlange]

Mike - Sorry, using version 2. You just dropped the beta and I didn't think to include the version.

Polina - I've verified the credentials. The account was made on Friday so I would hope that would be enough time. I was unsure what all was needed for EWS and Graph, but if it's just username and password I'll go back and dig deeper into the account to see what it's doing.

[Polina]

Matt,

If the credentials are correct and you can successfully login with this account to portal.office.com, then it might be something with your LAN proxy settings. In this case, it'd be best to open a support case and let our engineers verify the configuration.

[mlange]

I can log into portal.office.com. Would the proxy settings affect two accounts differently because if I use the global admin account everything works as expected.

[nielsengelen]

As you are getting a 401 Unauthorized result within Graph, it should/could mean 2 things:
- Wrong credentials
- Wrong permissions for the ApplicationImpersonation

I would suggest opening a support case as the logs will most likely tell more and they can assist you.

[Mike Resseler]

Matt,

I agree. One thing you should know is that when you can open the portal, it doesn't mean you have all the rights to the grap API. For example, see what you can do in the Azure AD admin portal. It might be that you are not allowed to do things over there.

[mlange]

Ack, I forgot to post that I opened, and have since closed, a case; 03423925. It turned out it was the Conditional Access Policy. Apparently Office 365 and Azure AD don't quite work the way I thought they did, and when I was initially looking into the MFA status for the account it was saying it wasn't enabled. Turns out that particular page really only applies to tenants that don't have Azure AD licensing, and if you do have AAD licensing that page is ignored. I just wasn't familiar enough with some of the idiosyncrasies of O365/AAD to find exactly what I was looking for.

[Mike Resseler]

Matt,

Good to hear. Thanks for letting us know. I am sure some others will have the same issues at some point. I am not going to comment too much on AAD/ O365 but sometimes it is indeed rather difficult to figure out what portal to use, and depending on the portal, the procedures seem to be quite different also

[silverburn]

Yup, same issue here for me.

Account can logon to portal etc, but fails on Veeam.

Connect to Microsoft graph = OK
Connect to EWS = FAIL. HTTP status 401 error
Connect to Powershell = FAIL. The sign-in name or password does not match...

[Polina]

Hi Euan and welcome to the Community!

To things to check first: 1) do you have legacy authentication protocols enabled? (more on this here) 2) are there any CA policies requiring an MFA in EWS?

Thanks

[SilvioS]

Hi Together

I've only experience with VEEAM and ON-Prem solutions, thats my first try in VOB, i hope the question is no to dummy , but i don't find any solution on the web.

I've the same problem like silverburn:
Connect to Microsoft graph = OK
Connect to EWS = FAIL. HTTP status 401 error
Connect to Powershell = FAIL. By the Connect with the Remoteserver is the followed failure: permission denied.

Has anyone an idea? The right link or the solution. Thanks a lot.

Best regards
Silvio

[Polina]

Hi Silvio and welcome to the Community!

VBO requires legacy authentication protocols to be enabled in the O365 tenant. If your tenant is using the Security Defaults, these protocols are disabled and VBO cannot connect to EWS and PowerShell. I'd start troubleshooting with this check.

Thanks!

[SilvioS]

Hey Polina,

Thank you so much for the hint, its function now.
I have deactivated the default policy (Printscreen https://bevioitservices.sharepoint.com/ ... w?e=m8fupd), maybe there is a way to assign with less authorization, unfortunately I do not have the time to test it . If someone knows a working variant with less rights assignment, please post it .

Thanks
Silvio

[Polina]

Silvio,

We're working on some changes to simplify the process, but with no ETAs yet.
Thanks for getting back on this!