Unable to connect using Modern Auth with VBOv4

[MILJW002]

Hi All,

I’ve not logged a ticket yet, as I’m hoping this is something simple I’ve missed.

I’ve happily been using the modern authentication method (the one requiring the custom app) since the early beta of version 3.

I’ve installed VBO365v4 and I’m unable to connect to my organisation using the exact same details that have been working since v3. My prod v3 server is still working.

I get a “Error: Unable to connect to the resource. Microsoft Azure Active Directory application doesn’t have the required permissions.” error. I’ve double checked the doco for v4 and I can’t see there being any additional permissions required. Have I missed something?

It looks SharePoint related, but I can’t figure out the missing permissions.

Code: Select all

———
28/11/2019 9:39:45 PM   27 (3388) Starting Microsoft Azure Active Directory permission validation...
28/11/2019 9:39:47 PM   26 (2956) Acquired Azure authorization token (Client ID: <my app id>, resource: https://graph.microsoft.com/)
28/11/2019 9:39:47 PM   27 (3388) Found token with the following permissions: Group.Read.All, Directory.Read.All
28/11/2019 9:39:48 PM   24 (1732) Acquired Azure authorization token (Client ID: <my app id>, resource: https://outlook.office365.com/)
28/11/2019 9:39:48 PM   27 (3388) Found token with the following permissions: full_access_as_app
28/11/2019 9:39:49 PM   24 (1732) Acquired Azure authorization token (Client ID: <my app id>, resource: https://graph.microsoft.com/)
28/11/2019 9:39:50 PM   24 (1732) Acquired Azure authorization token (Client ID: <my app id>, resource: https://<my tennsnt>-admin.sharepoint.com/)
28/11/2019 9:39:50 PM   27 (3388) Found token with the following permissions: Sites.FullControl.All
28/11/2019 9:39:50 PM   27 (3388) Azure Active Directory application configuration failed
28/11/2019 9:39:50 PM   27 (3388) Error: Unable to connect to the resource. Microsoft Azure Active Directory application doesn’t have the required permissions.
28/11/2019 9:39:50 PM   27 (3388) Type: System.Exception
28/11/2019 9:39:50 PM   27 (3388) Stack:
28/11/2019 9:39:50 PM   27 (3388)    at Veeam.Archiver.Source.Authentication.TokenPermissionsVerifier.VerifyPermissions(String token, Boolean isConnectedToDefaultApplication, IEnumerable`1 permissionSets)
   at Veeam.Archiver.Source.Authentication.AuthenticationHeaderProvider.ValidateAuthenticationToken(String resource, IEnumerable`1 permissionSets, CancellationToken cancel)
   at Veeam.Archiver.Source.Authentication.ApiCertificateApplicationPermissionsChecker.CheckSharePointPermissions(CancellationToken cancel)
   at Veeam.Archiver.Source.Authentication.ApiCertificateApplicationPermissionsChecker.CheckPermissions(CancellationToken cancel)
   at Veeam.Archiver.Controller.Organizations.GraphApplicationConfigurator.CheckApplicationPermissions(IApplicationClientProvider factory)
   at Veeam.Archiver.Controller.Organizations.GraphApplicationConfigurator.Configure(SourceOrganizationConfig config)
   at Veeam.Archiver.Controller.Organizations.GraphApplicationConfigurator.Configure()
——

Any tips greatly appreciated.

J

[Polina]

Hi James,

In v4, the required application permissions were extended with the "Read user profiles" (User.Read.All). Please ensure that you have it granted to your VBO app.

[MILJW002]

Hi Polina,

I’ve added that (just checked), but only within the past hour or so. I do recall warnings it can take “up to” an hour to take effect. I’ll wait a bit longer and see if that’s all I was missing.

Thanks for the quick response.

J

[Polina]

James,

Right, it usually takes time to sync the changes across O365, so let's give it some time to "think it over" )
And if the issue still occurs, please open a support call and share its ID here.

Thanks!

[MILJW002]

Yep, that appears to have fixed it!