-
- Enthusiast
- Posts: 53
- Liked: 3 times
- Joined: Oct 24, 2018 8:22 am
- Full Name: Christoph Schulze
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
I know, you have to use the API Microsoft provides. So pls don't be offended.
Microsoft on the other side is pushing us as a Microsoft Partner to use the Conditional Access - Policies. As I don't know if Veeam is aware of this, I'll post some screenshots for you.
https://partner.microsoft.com/en-us/pcv ... compliance
https://partner.microsoft.com/de-DE/res ... quirements#/
Microsoft on the other side is pushing us as a Microsoft Partner to use the Conditional Access - Policies. As I don't know if Veeam is aware of this, I'll post some screenshots for you.
https://partner.microsoft.com/en-us/pcv ... compliance
https://partner.microsoft.com/de-DE/res ... quirements#/
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
We are aware of this but we (and Microsoft) are also aware that certain things are still not available via the new API’s and therefore we leverage the legacy path. So far this hasn’t cause any issues but we will continue to push and update as time goes on.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Novice
- Posts: 9
- Liked: 3 times
- Joined: Oct 17, 2018 6:13 pm
- Full Name: Christian Petersen
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hello
My company are in the process of implementing VBO atm. and we have also stumbled upon the need for the SPO legacy protocol to be enabled.
We talked to our contacts at Veeam about and they gave us the solution mentioned in this forum thread.
We then decided to dig deep into the solution to see if was okay to implement (We are currently using CA).
I talked to a colleague of mine who is a Microsoft MVP in Enterprise mobility and asked him to look at the solution provided.
He then got back to me and told me - short version: "You cannot use CA to prevent the use of the legacy protocol, because the legacy protocol cannot handle CA enforcement. CA is a top-level security measure and when you enabled the legacy protocol in SPO, you can then bypass CA with just username & password"
My first response was, are you sure? - He then went a little further and ask a couple of other MVPs with in-depth knowledge of CA policy's and 3 of them told him that he was right in was he told me. One other MVP was not, and said the exact opposite.
He then went on to ask a Microsoft employee that works in the Intune team and he then confirm what the 3 other MVPs has told him.
We have now reached out to our contacts at Microsoft to get an answer on the question "Its's safe to enable the legacy protocol in SPO and then use CA to protect it" - We currently still waiting on the answer.
This is from a blog post regarding this topic:
Some cloud apps also support legacy authentication protocols. This applies, for example, to SharePoint Online and Exchange Online. When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a conditional access policy on this access attempt. To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps.
- This is taken from a Microsoft MVP (Enterprise mobility) - https://alberthoitingh.com/2018/04/26/m ... on-beware/ -
His source is: https://docs.microsoft.com/en-us/azure/ ... -practices
And that is basically confirms what we have been told so fare.
So, my question to you guys that have enabled the legacy protocol in SPO and are using CA to protect it. Do you have any confirmation from an official source that it's absolutely 100% safe? and it's not lowering your security standard?
My company are in the process of implementing VBO atm. and we have also stumbled upon the need for the SPO legacy protocol to be enabled.
We talked to our contacts at Veeam about and they gave us the solution mentioned in this forum thread.
We then decided to dig deep into the solution to see if was okay to implement (We are currently using CA).
I talked to a colleague of mine who is a Microsoft MVP in Enterprise mobility and asked him to look at the solution provided.
He then got back to me and told me - short version: "You cannot use CA to prevent the use of the legacy protocol, because the legacy protocol cannot handle CA enforcement. CA is a top-level security measure and when you enabled the legacy protocol in SPO, you can then bypass CA with just username & password"
My first response was, are you sure? - He then went a little further and ask a couple of other MVPs with in-depth knowledge of CA policy's and 3 of them told him that he was right in was he told me. One other MVP was not, and said the exact opposite.
He then went on to ask a Microsoft employee that works in the Intune team and he then confirm what the 3 other MVPs has told him.
We have now reached out to our contacts at Microsoft to get an answer on the question "Its's safe to enable the legacy protocol in SPO and then use CA to protect it" - We currently still waiting on the answer.
This is from a blog post regarding this topic:
Some cloud apps also support legacy authentication protocols. This applies, for example, to SharePoint Online and Exchange Online. When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a conditional access policy on this access attempt. To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps.
- This is taken from a Microsoft MVP (Enterprise mobility) - https://alberthoitingh.com/2018/04/26/m ... on-beware/ -
His source is: https://docs.microsoft.com/en-us/azure/ ... -practices
And that is basically confirms what we have been told so fare.
So, my question to you guys that have enabled the legacy protocol in SPO and are using CA to protect it. Do you have any confirmation from an official source that it's absolutely 100% safe? and it's not lowering your security standard?
-
- Service Provider
- Posts: 1092
- Liked: 134 times
- Joined: May 14, 2013 8:35 pm
- Full Name: Frank Iversen
- Location: Norway
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
*chewing popcorn on this*
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hey,
Sorry about my late reply... I have been a bit busy releasing lately . I disagree with the MVP on his statement. Having a legacy user / pwd with CA based on IP/ location seems very safe. But that said, we can continue the discussion what is safest and in that case the only outcome will be that you will need to do 2FA each time our service wants to connect to O365 (and you would need to do that with your outlook then also...). More importantly:
We are obviously aware that we need to come up with a solution so we can support connection without legacy authentication protocol. And we are actively working / researching this. However, it will come at a cost. Certain items won't be protected, and certain restores won't be possible. Maybe later they will become available again if we can do everything through Graph, but as of today, we need to work with CMOS (SPO / O4B) and EWS (Exchange Online). Because of these services, we are limited in certain things.
Hope that makes it a bit more clear
Sorry about my late reply... I have been a bit busy releasing lately . I disagree with the MVP on his statement. Having a legacy user / pwd with CA based on IP/ location seems very safe. But that said, we can continue the discussion what is safest and in that case the only outcome will be that you will need to do 2FA each time our service wants to connect to O365 (and you would need to do that with your outlook then also...). More importantly:
We are obviously aware that we need to come up with a solution so we can support connection without legacy authentication protocol. And we are actively working / researching this. However, it will come at a cost. Certain items won't be protected, and certain restores won't be possible. Maybe later they will become available again if we can do everything through Graph, but as of today, we need to work with CMOS (SPO / O4B) and EWS (Exchange Online). Because of these services, we are limited in certain things.
Hope that makes it a bit more clear
-
- Novice
- Posts: 9
- Liked: 3 times
- Joined: Oct 17, 2018 6:13 pm
- Full Name: Christian Petersen
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hey Mike
Thank you for taking the time to post an answer on the topic
The solution with CA based on IP / location and specif SA, is not that safe. It does prevent the protocol from being used by users, but CA doesn't work until after the authentication has been confirmed.
That means, if we do make use of the solution with CA, we have now just provide a platform to brute force attacks. Because everyone will be able to test the username & password against the legacy protocol, and when the password is guessed, CA will tell you that you can not get in.
So now an attacker knows the password of the user.
i'm aware that Veeam and Microsoft are working on resolving the need for the legacy protocol in the application.
Thank you for taking the time to post an answer on the topic
The solution with CA based on IP / location and specif SA, is not that safe. It does prevent the protocol from being used by users, but CA doesn't work until after the authentication has been confirmed.
That means, if we do make use of the solution with CA, we have now just provide a platform to brute force attacks. Because everyone will be able to test the username & password against the legacy protocol, and when the password is guessed, CA will tell you that you can not get in.
So now an attacker knows the password of the user.
i'm aware that Veeam and Microsoft are working on resolving the need for the legacy protocol in the application.
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hmmm,
I didn't know that. If that is the case, I actually need to talk to MSFT, because that workflow is wrong. To me, authentication should not even be tried because the first thing that should be checked is CA
I didn't know that. If that is the case, I actually need to talk to MSFT, because that workflow is wrong. To me, authentication should not even be tried because the first thing that should be checked is CA
-
- Novice
- Posts: 9
- Liked: 3 times
- Joined: Oct 17, 2018 6:13 pm
- Full Name: Christian Petersen
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hey Mike
Thanks for the quick reply.
That is endeed the case. CA is happing "post-authentication" on the legacy protocol.
I'm currently working on get answer from MS on the topic about CA and the legacy protocol. If you decied to contact them, I would very much like to know the answer.
Thanks for the quick reply.
That is endeed the case. CA is happing "post-authentication" on the legacy protocol.
I'm currently working on get answer from MS on the topic about CA and the legacy protocol. If you decied to contact them, I would very much like to know the answer.
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Yes, I will contact them, but since holiday season is started, I'm pretty sure it will take some time to get a response...
-
- Enthusiast
- Posts: 53
- Liked: 3 times
- Joined: Oct 24, 2018 8:22 am
- Full Name: Christoph Schulze
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
pls keep us posted.
Attacks on O365 / Azure are increasing
Attacks on O365 / Azure are increasing
-
- Service Provider
- Posts: 1092
- Liked: 134 times
- Joined: May 14, 2013 8:35 pm
- Full Name: Frank Iversen
- Location: Norway
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Does the cloud have holiday?
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Frank... The cloud not so much... people behind it...
-
- Enthusiast
- Posts: 53
- Liked: 3 times
- Joined: Oct 24, 2018 8:22 am
- Full Name: Christoph Schulze
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Quote from a recent partnermail from Microsoft:
• Blocking legacy authentication will not be enforced for partners at this time. However, as most events related to compromised identities come from sign-in attempts using legacy authentication, partners are encouraged to move away from these older protocols.
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hi Christoph,
Just to be clear on this. With legacy, they mean username / password. We do support MFA with app registration, which is encouraged here. But the fact remains that we still have some legacy protocols remaining
Just to be clear on this. With legacy, they mean username / password. We do support MFA with app registration, which is encouraged here. But the fact remains that we still have some legacy protocols remaining
-
- Service Provider
- Posts: 42
- Liked: 5 times
- Joined: Aug 08, 2014 1:51 pm
- Full Name: Barry Knox
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Do we have any update on this from Veeam/Microsoft? As mentioned earlier disabling of legacy authentication methods is being mandated for Microsoft Partners.
This is being done by enabling something they call Security Defaults (on the surface this looks like a set of free to use conditional access rules)
https://docs.microsoft.com/en-gb/azure/ ... entication
With this enabled backup no longer functions, I have seen documented workarounds that use custom conditional access policies but this would require the purchase of azure ad premium p2 licences so its not without costs.
The other thing in the linked document you may want to note is the following -
If your tenant was created on or after October 22nd, 2019, it’s possible you are experiencing the new secure-by-default behavior and already have security defaults enabled in your tenant. In an effort to protect all of our users, security defaults is being rolled out to all new tenants created.
This suggests security defaults will be coming to all tenants as a default and isn't something only being forced down the neck of Microsoft partners, albeit they would have the option to turn it off but you may see a serious uptick in support calls!
This is being done by enabling something they call Security Defaults (on the surface this looks like a set of free to use conditional access rules)
https://docs.microsoft.com/en-gb/azure/ ... entication
With this enabled backup no longer functions, I have seen documented workarounds that use custom conditional access policies but this would require the purchase of azure ad premium p2 licences so its not without costs.
The other thing in the linked document you may want to note is the following -
If your tenant was created on or after October 22nd, 2019, it’s possible you are experiencing the new secure-by-default behavior and already have security defaults enabled in your tenant. In an effort to protect all of our users, security defaults is being rolled out to all new tenants created.
This suggests security defaults will be coming to all tenants as a default and isn't something only being forced down the neck of Microsoft partners, albeit they would have the option to turn it off but you may see a serious uptick in support calls!
VMCE
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Barry, no real update for now but we are well aware of this point. Once we know more, it will be shared here asap.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Veeam ProPartner
- Posts: 566
- Liked: 103 times
- Joined: Dec 29, 2009 12:48 pm
- Full Name: Marco Novelli
- Location: Asti - Italy
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
As a Microsoft Gold Partner I confirm that I have enabled "Security Default" on my Azure AD tenant , and VBO stopped working. VBO was already configured and working with Modern Authentication / MFATarqy wrote: ↑Jan 21, 2020 5:39 pm Do we have any update on this from Veeam/Microsoft? As mentioned earlier disabling of legacy authentication methods is being mandated for Microsoft Partners.
...
If your tenant was created on or after October 22nd, 2019, it’s possible you are experiencing the new secure-by-default behavior and already have security defaults enabled in your tenant. In an effort to protect all of our users, security defaults is being rolled out to all new tenants created.
This suggests security defaults will be coming to all tenants as a default and isn't something only being forced down the neck of Microsoft partners, albeit they would have the option to turn it off but you may see a serious uptick in support calls!
I get two errors:
Connect to EWS: the request failed with HTTP status 401: unauthorized
Connect to Powershell: connect to outlook.office365.com failed , access denied
Marco
-
- Service Provider
- Posts: 42
- Liked: 5 times
- Joined: Aug 08, 2014 1:51 pm
- Full Name: Barry Knox
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
VBO365 requires legacy authentication protocols and app passwords (when using modern authentication) in order to work.
Security Defaults disables both of these and is exactly the reason I chased this up last week.
Security Defaults disables both of these and is exactly the reason I chased this up last week.
VMCE
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Barry,
We are working heavily to have a solution for this. However, if we will stop using legacy authentication protocols, we will suffer from functionality. I can't give a date yet, but know that we are working on such a solution. Also, at the same time, we are working with Microsoft to see how the functionality could return (but that will be the longer route I'm afraid...)
We are working heavily to have a solution for this. However, if we will stop using legacy authentication protocols, we will suffer from functionality. I can't give a date yet, but know that we are working on such a solution. Also, at the same time, we are working with Microsoft to see how the functionality could return (but that will be the longer route I'm afraid...)
-
- Veeam ProPartner
- Posts: 566
- Liked: 103 times
- Joined: Dec 29, 2009 12:48 pm
- Full Name: Marco Novelli
- Location: Asti - Italy
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Thanks Mike! Would love to have back a set of minimal functionality, it's better than nothing... actually I cant run VBO at all with new Azure Security Settings for Microsoft Partners
Marco
Marco
-
- Enthusiast
- Posts: 53
- Liked: 3 times
- Joined: Oct 24, 2018 8:22 am
- Full Name: Christoph Schulze
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Are you sure about Azure AD Premium P2? I found this:
https://docs.microsoft.com/en-us/azure/ ... et-started
Microsoft Silver Partner get 25 seats Enterprise Mobility Suite (E3) - regardless with competency they have. I took this information from the latest IRU file: 'License Table - Competency (November 4th 2019).docx'[...]
Azure AD Premium P1
For customers with Azure AD Premium P1 or similar licenses that include this functionality such as Enterprise Mobility + Security E3, Microsoft 365 F1, or Microsoft 365 E3:
The recommendation is to use Conditional Access policies for the best user experience.
AFAIK there is no Enterprise Mobility Suite (E3), only Enterprise Mobility Suite + Security (E3)
IMHO EMSS E3 would be enough!?
I did not have time evaluate the options or to search for a guide how to get VBO 365 running with Conditional Access policy along with being compliant with MS Partner.
@Tarqy do you have a guide and can publish it for us?
-
- Veeam ProPartner
- Posts: 566
- Liked: 103 times
- Joined: Dec 29, 2009 12:48 pm
- Full Name: Marco Novelli
- Location: Asti - Italy
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
I have Office 365 E3 licenses, and enabling new Microsoft Azure Security Default broke VBO since in disable at all legacy protocols. Conditional access cant help, IMHO
Cheers, Marco
Cheers, Marco
-
- Enthusiast
- Posts: 71
- Liked: 2 times
- Joined: Jul 07, 2010 9:03 pm
- Full Name: Robert
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
New user here, I was about to test out v4. Went through the MFA set up guide only to get stuck on this error "Check LegacyAuthProtocolsEnabled". I would rather have reduced functionality than enable legacy auth. Are there still plans to do that?
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Hi Robert, we are still looking into it as mentioned before but no update for now. We'll post here once we have more info.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Novice
- Posts: 7
- Liked: 2 times
- Joined: May 17, 2012 2:51 pm
- Full Name: Fred Fish
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Have to disagree with that - If you whitelist your companies IP for legacy auth (So it bypasses the MFA check) this means that if you have an internal threat that gets hold of the user/pass by whatever means, they can wipe out your 365 tenant.Mike Resseler wrote: ↑Dec 10, 2019 10:51 am Having a legacy user / pwd with CA based on IP/ location seems very safe.
It does minimise the external risks, but it's an incredibly powerful account to leave without any form of internal MFA
-
- Service Provider
- Posts: 26
- Liked: 9 times
- Joined: Mar 18, 2014 9:13 am
- Full Name: Mats
Why not modern auth on sharepoint and onedrive?
Hi Veeam
I'm a bit confused. In this forum you have wrote that Microsoft have not api support for modern auth on sharepoint and onedrive.
A potential new customer (we are a service provider and offering o365 backup in our datacenter) informed us that keepit can backup o365 only using modern auth.
How is that possible?
Why is this a big issue for us, the potential new customer have 3000 o365 users and 50 TB of data!
No modern auth, no new customers.
/Mats
I'm a bit confused. In this forum you have wrote that Microsoft have not api support for modern auth on sharepoint and onedrive.
A potential new customer (we are a service provider and offering o365 backup in our datacenter) informed us that keepit can backup o365 only using modern auth.
How is that possible?
Why is this a big issue for us, the potential new customer have 3000 o365 users and 50 TB of data!
No modern auth, no new customers.
/Mats
Mats
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Mats, not everything we offer is available via modern auth so this is a limitation of the API. I merged your post with the ongoing discussion topic where updates are posted once they are available.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Service Provider
- Posts: 26
- Liked: 9 times
- Joined: Mar 18, 2014 9:13 am
- Full Name: Mats
Re: v3 - LegacyAuthProtocolIsEnabled still required?
Is there any roadmap when supporting modern auth all the way?
We want to keep using Weeam but we are losing this customer.
We want to keep using Weeam but we are losing this customer.
Mats
-
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: v3 - LegacyAuthProtocolIsEnabled still required?
The update is the same, we are fully looking into this but as Mike said, we will lose some functionality. No ETA for now.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Service Provider
- Posts: 26
- Liked: 9 times
- Joined: Mar 18, 2014 9:13 am
- Full Name: Mats
Re: v3 - LegacyAuthProtocolIsEnabled still required?
I totally agree with m.novelli, we are fine with only minimal functionality, just to get modern auth working all the way.
Mats
Who is online
Users browsing this forum: No registered users and 11 guests