Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.

[Polina]

The official deadline from Microsoft is July 1 2026. Until that time, please follow recommendations provided in KB4796.

Thanks

[DaStivi]

but this is also no one-time fix! as i've wrote in my posts before... my best guess is right now, when users license changes from kiosk to Ex the ews get's "nulled" and then produce errors in the backup...

the earlier we can get a GraphAPI-EXO Backup version the better!!

[Polina]

Hi Stephan,

If you get Graph API backup today, you won't be able to protect group, resource and archive mailboxes anymore as well as face a few other changes in the behavior compared to the current state of the backup you are used to.

First, we'll address the issue for limited license mailboxes. All the rest will come later. Hopefully at least some of the current limitations will be resolved/addressed by that time.

Thanks.

[hans.ovli]

What do we do as a workaround to this issue when customer has disabled EWS both on organization level and user level based on their risk policy?
https://www.veeam.com/kb4796 will not solve that, and on the support side when i tried to create a ticket for it, they state:
The issue “The HTTP request was forbidden with client authentication scheme ‘Anonymous’” is currently being jointly investigated by Veeam and Microsoft. For proactive updates, please refer to KB4796.

When is this going to be fixed, it has been like this for quite a while and last update in kb is a month ago. I have a customer with this error on hundreds of mailboxes.
Is this an error causing backup not to be taken or is this an errormessage we can safely ignore as noise?

[Polina]

Hi Hans,

Today, if EWS is disabled, backups cannot be performed, and there's no workaround for that.

Veeam is now working on transitioning from EWS to Graph APIs for Exchange backup. You can see more details in my post above.

[Mildur]

Hi all,

As Polina shared, we are working on the transition from EWS to Microsoft Graph API and plan to release the new Veeam Backup for Microsoft 365 version in time to support Microsoft Graph API for <F- and Kiosk-licensed mailboxes>.

Today, we want to provide the list of additional required permissions for the backup application in Microsoft Entra ID so you can prepare before the update is released. This may be helpful for service providers that need to contact their customers to arrange these additional permissions.

Disclaimer: This list reflects the current development state and is expected to be final for the upcoming release. However, it may still change before release if additional Microsoft Graph API permissions are required. Please double-check the Release Notes or User Guide after GA.

Code: Select all

+------------------------------+------------------------------------+--------+---------+
| Permission                   | Permission Type                    | Backup | Restore |
+------------------------------+------------------------------------+--------+---------+
| User.ReadBasic.All           | Application                        |   x    |    x    |
| User.ReadBasic.All           | Delegated (work or school account) |        |    x    |
| MailboxItem.ImportExport.All | Application                        |   x    |    x    |
| MailboxItem.ImportExport     | Delegated (work or school account) |        |    x    |
| MailboxFolder.Read.All       | Application                        |   x    |         |
| MailboxItem.Read.All         | Application                        |   x    |         |
| MailboxItem.Read             | Delegated (work or school account) |        |    x    |
| MailboxFolder.ReadWrite.All  | Application                        |        |    x    |
| MailboxFolder.ReadWrite      | Delegated (work or school account) |        |    x    |
+------------------------------+------------------------------------+--------+---------+

Best regards,
Fabian

[hans.ovli]

Thx for answering out here Polina and Mildur!
I need to reach out to my customer to ask them to enable EWS again, but i am having trouble to see the actual consequence.
Since the exchange explorer shows data can be restored and restore points seems ok, what is not being backed up here since Veeam displays it as error?

[Mildur]

Hi Hans,

If you see the error documented in KB 4796, then specific mailboxes should not have been protected during that job session.
I recommend to enable it to be sure that all mailboxes are protected.

Best,
Fabian