Microsoft will force MFA for all Global Admins in O365 soon

[omegagx]

Microsoft just released this baseline policy in preview:
https://cloudblogs.microsoft.com/enterp ... c-preview/
but it will shortly enable this for everyone, forcing all Global Administrators to have MFA turned on. This baseline policy is available under: https://portal.azure.com/#blade/Microso ... e/Policies

As soon as we enabled this policy, Veeam Backup for Microsoft Office 365 broke with the following errors:

Code: Select all

Connecting to remote server outlook.office365.com failed with the following error message : Access is denied.
For more information, see the about_Remote_Troubleshooting Help topic.

and

Code: Select all

The request failed with HTTP status 401: Unauthorized.

Looks like Microsoft supported connecting to Exchange Online using PowerShell with MFA, since the middle of last year:
https://docs.microsoft.com/en-us/powers ... xchange-ps

You just need to use the following string:

Code: Select all

Connect-EXOPSSession -UserPrincipalName <UPN>

instead of these commands:

Code: Select all

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

Since "Veeam for Office 365" doesn't support MFA, it appears that as soon as Microsoft makes this baseline policy the default (soon), your product will no longer support "Office 365".

When would Veeam start supporting MFA? Currently we can no longer this product since we are required to use this baseline policy. We also opened a support case #03105881 on this.
Thanks.

[Mike Resseler]

Hi Michael,

I understand that you need to enable this policy but there are a few remarks that I would like to make (and you will see below, I will make remarks on our software also)

1. Even if you enable this policy, I trust you are adding a emergency access account as an exclusion? A service account can be added there also. The reason for this VBO service account is quite simple. We can love MFA, but a solution cannot work if the service account has MFA enabled. MFA requires human interaction. So you will always need somewhere an account without MFA. This is not only for us, this will be for many solutions that connect to O365 (or other cloud services) and need interaction and authentication.
2. After GA (we are very close) of 2.0 we will do some testing with the concept of app-passwords to see what the results are.
3. EWS has received end of life statement (2020). This will require us to make some changes (which we are investigation already) and one of the changes will be that applications need to be written so they become trusted applications, bypassing the MFA requirement (Yes, this is a Microsoft requirement so one way or another, in the future, you still will have some parts in your organization that bypasses MFA)
4. What we certainly should do (and consider this a feature request that I am very aware off ) is the possibility to offer MFA when you do a restore with a specific account. To me personally, this is a high-priority one.

Now for some questions from my side
1. Will an app-password be good enough as a start to continue working with our solution?
2. In the future, what would be your preference (for the service account) to bypass the MFA requirement. And, are you willing to "renew" the MFA bypass every X day (You can bypass for example for 30 days, but then you need to renew again...)

Hope it helps, let me know if you need more clarification
Mike

[omegagx]

Looks like this baseline policy doesn't allow for exceptions - if an account is a Global Administrator, then MFA is enabled. I couldn't find a way to exclude an account from it.

Currently, we are unable to backup any of our Exchange Online mailboxes, so any solution would work. Can you walk me through creating an application password to fix this issue?

[MILJW002]

Hi,

Just one thing. You don’t need a Global Admin account for backup. I made a custom role in Exchange Online and this is the only access my service account is using. The roles were:

ApplicationImpersonation
View-Only Configuration
View-Only Recipients

J

[Mike Resseler]

Hmmm,

In the first link you sent us, there is a screenshot under point 4. At the bottom you see the exclusion. Could you check if you can see it?

[omegagx]

Any reason why the "release notes" or documentation don't specify that enabling MFA will break the product?

[Mike Resseler]

Michael,

Not really. Actually a good tip to add to the notes. Probably my mind that concluded automatically that MFA cannot work for a service account

[omegagx]

I also couldn't find any KB articles on this issue even though it was first reported on this forum in 2016.

[DavidReimers]

Using MFA for Exchange Online PowerShell is relatively straightforward and well documented above.

What is tricker is getting Azure AD to work. You need PowerShell Gallery to get the updated Azure AD modules, and that needs PowerShell 5, and that needs Windows Management Framework 5. This is a good backgrounder on PowerShell Gallery: https://docs.microsoft.com/en-us/powers ... ng-started

Get Windows Management Framework 5.1 (https://www.microsoft.com/en-us/downloa ... x?id=54616)
Once you've got WMF 5, installed it and rebooted, get PowerShell Gallery (https://www.powershellgallery.com).
Once you've got that, install the latest PowerShell Get (https://www.powershellgallery.com/packa ... lGet/1.6.6). The command is:

Code: Select all

Install-Module -Name PowerShellGet -Force

Then you can get the AzureADPreview module. I used the preview version, because I needed the newer commands to manipulate the organisation policies for authentication timeouts. https://www.powershellgallery.com/packages/AzureAD/ In true Microsoft fashion, the preview version is needed to actually do a lot of the newer command like New-AzureADPolicy.

Code: Select all

Install-Module -Name AzureADPreview

or, if you've already got AzureAD installed

Code: Select all

Install-Module -Name AzureADPreview -allowclobber

Once you've got all this done, you can then load the AzureAD modules:

Code: Select all

import-module AzureADPreview 
connect-AzureAD

And you'll get the Modern Auth-style dialog pop up.

Hope this helps anyone struggling with it. We have previously just turned off MFA temporarily but I suspect this will be increasingly harder to do in future.

[thuizenga]

Hi Michael,

I understand that you need to enable this policy but there are a few remarks that I would like to make (and you will see below, I will make remarks on our software also)

1. Even if you enable this policy, I trust you are adding a emergency access account as an exclusion? A service account can be added there also. The reason for this VBO service account is quite simple. We can love MFA, but a solution cannot work if the service account has MFA enabled. MFA requires human interaction. So you will always need somewhere an account without MFA. This is not only for us, this will be for many solutions that connect to O365 (or other cloud services) and need interaction and authentication.
2. After GA (we are very close) of 2.0 we will do some testing with the concept of app-passwords to see what the results are.
3. EWS has received end of life statement (2020). This will require us to make some changes (which we are investigation already) and one of the changes will be that applications need to be written so they become trusted applications, bypassing the MFA requirement (Yes, this is a Microsoft requirement so one way or another, in the future, you still will have some parts in your organization that bypasses MFA)
4. What we certainly should do (and consider this a feature request that I am very aware off ) is the possibility to offer MFA when you do a restore with a specific account. To me personally, this is a high-priority one.

Now for some questions from my side
1. Will an app-password be good enough as a start to continue working with our solution?
2. In the future, what would be your preference (for the service account) to bypass the MFA requirement. And, are you willing to "renew" the MFA bypass every X day (You can bypass for example for 30 days, but then you need to renew again...)

Hope it helps, let me know if you need more clarification
Mike

+1 for app password support.

I just started testing version 2.0 and was excited to try out one drive / share point features, but was slapped in the face with a 401 error. Support suggested i set "Apps that don't use modern authentication" to allow?

There is no way we could make that change, we use mam policies which would all be disabled by making that change.

[Mike Resseler]

Hey Travis,

We are working on something at this moment but it will take us some time. We are investigating different solutions to solve this problem

[Robvil]

Under Azure AD "Conditional access - Policies" you can exclude admin users which should not have MFA required.

[thuizenga]

just curious if anyone has had any luck with this. we went in create a new user and created a new role and assigned the role to exchange and mailbox backups seam to still be working but am trying to figure out how to grant the permission for sharepoint/onedirve. The precheck comes out fine, but i still get the same error when trying to do backups other than mailbox.

[Mike Resseler]

Travis,

Did you exclude that user from MFA?

[thuizenga]

we don't see multi-factor being enabled for this user.

[Mike Resseler]

Travis,

Please make a support call for this. I believe I heard about this before and if I am right, our support team can get you fixed. (And as always, please post the case ID here and the outcome after investigation with the engineers)

Thanks
Mike

[thuizenga]

we got it to work by enabling legacy protocols for the newly created user.

connect-sposervice
set-spotenant -legacyauthprotocolsenabled $true
set-spotenant -requireacceptingaccountmatchinvitedaccount $false

Yeah!

[Mike Resseler]

Thanks Travis.

I will need to look into these PS cmdlets to truly understand what is going on in the backend. I'm not sure to be honest why it needs to be done (I actually thought this was enabled by default...)

[stvajnkf]

As of version 2.0.0.567 and 11/12/2018, two-factor authentication is still not working for the main service account that lets Veeam connect to the Office 365 server. It fails when it tries to connect to Microsoft Graph, preventing me from going any further with the backup job setup.

[Mike Resseler]

@Stvajnkf,

Our next version will have MFA support and will work with app secrets. I can't give any ETA at this point in time though

[jrick]

Any news about VBO365 and MFA ? My mail team explained me that Microsoft will force MFA for administrators in February and VBO365 need an account with Sharepoint Admin right.

[Mike Resseler]

Hey Julien,

Can you ask your team where they have found that? I am aware that the default will become MFA-enabled but it is still changeable at your own discretion and if it is not MFA enabled today, it won't be then.

But maybe I missed somewhere an announcement?

Thanks
Mike

[DannyMurphy]

Hi Mike,

The enforcement comes from Partner Centre. It gives this link to a PDF to see whats changing and why: http://assetsprod.microsoft.com/securit ... ts-faq.pdf

It'll affect the APIs for partner centre but i don't believe Veeam uses these so it shouldn't affect it. They are however forcing it for all admins soon after according to the Azure which you can see on this link: https://aka.ms/cabaselinemfaforadmins

[Polina]

Hi Danny,

Thanks for the info.
First and foremost, we clearly realize the need and urgency for introducing support for MFA-enabled accounts in VBO, and it's already on our roadmap.
Still, the transition to the new baseline policy should be smooth, as Microsoft provides a temporary workaround allowing to exclude users from the policy.

[Mike Resseler]

Danny,

To add to what Polina says. MFA-enabled accounts (or better said, modern authentication) will be available in our next version and that is not far away anymore. And as Polina says, there is a workaround. But the one change I would like to make, is that it most likely won't be a temporary workaround. MSFT actually advises to have an "emergency access" acount (https://docs.microsoft.com/en-us/azure/ ... ncy-access).

But for the future, we will indeed advise everyone to use a modern authentication "service account" that will include app ID, app passwords or certificates and more. We are already prepping the documentation for it (Polina is )

[DannyMurphy]

Perfect, looking forward to it!

Hopefully the update after this one will bring it into B&R

[Mike Resseler]

Hey Danny,

What exactly do you mean with "bringing it into B&R"? For example, bringing it into the UI of B&R does not make any sense to me. Other items might make sense though.

[DannyMurphy]

Yeah bring it into the UI. One single console for backup infrastructure and one installation, multiple licenses. Makes life easier for service providers

[Polina]

Hi Danny,

From what I've heard it might be implemented in the future (never say never with Veeam ). But as of now isn't Veeam Availability Console meeting the need for a single backup management console?