Modern Auth - Certificates

[JohnVK]

Hi,

I'm hoping that someone may be able to explain the use of certificates with Modern Authentication? I have a tenant set up with a Veeam generated certificate. During the setup I chose to allow Veeam to create the application on the O365 side. This works fine - was very easy to set up.

However...

What if I alreay have an O365 application set up? or my customer does not want the application to be created automatically? How can I export the certifcate that Veaam generates, so that I can import it in O365? It doesn't seem to be in the certificate store on my VBO.

Or do I need to use a certificate from an external CA? If so, what are the specifications for the certificate? Are we talking about a standard SSL cert? Are there any requirements for the common name? Does it need to match the app name?

I've tried searching for info online, but until now haven't been able to find anything.

Hopefully someone here can help?

Thanks in advance,

[Polina]

Hi John and welcome to Veeam Forums!

VBO self-signed certificates are stored under Local Computer/Personal, and, for example, there you will find certificates generated for the pool of auxiliary backup applications. However, certificate created when adding a new organization is not there and this is known issue, which will be fixed in the next version.

If you already have an application setup in O365 and don't want to use the automatically generated certificate, there's an option to reuse an existing one from the Certificate Store. Certificate name can be different from the app name; and there're no special requirements for the common name. Just note that O365 supports only .cer, .pem and .crt file formats.

Thanks!

[JohnVK]

Hi Polina,

Thanks for the response. Regarding your comment "if you already have an application setup in O365 and don't want to use the automatically generated certificate" - My issue is more that I do want to use the automatically generated certificate - but how do I upload this to O365 if I can't find it in the certifcate store? Or does Veeam take care of this for existing applications as well?

Again, thanks for the helpful information!

[Polina]

Hi John,

I must admit that currently it's not as straightforward as it should be (and will definitely be fixed in the future release). To be able to generate a new certificate, check the 'Grant this application required permissions...' box first and then click the 'Install' button where the self-signed option will appear. In this case, the certificate will be generated and uploaded to O365 automatically.

Thanks!

[JohnVK]

Great,

Thanks for clearign it up. I'll give it a try.

[Switchie_Urs]

Hi Polina,

following up on your response to John, what if I need to re-run the add-org wizard to change the used Exchange and Sharepoint in order to use lower privileges (the Global Admin role assignment was required to automatically create the AAD app) but want to use that same self-signed certificate? the "Install" option does not show that certificate anymore and the "Application Certificate" field does not allow entry of an app secret created as a workaround. Are there any other options I may have missed?

Regards,
Urs