v3 - LegacyAuthProtocolIsEnabled still required?

[Polina]

We heard you loud and clear, and we're actively working on the solution atm.

[c.schulzejn]

I agree too.
If it's just some features, which prevent using modern auth, then make them optional or give a warning message, that feature X, Y and Z won't work with it.

[Polina]

Christoph,

That's noted!

[mcbsys]

I too have been bitten by the forced downgrade from the "beta" baseline policies to the final all-or-nothing Security Defaults.

Thanks to this thread, I realized that as a Microsoft Action Pack partner, I have 5 Enterprise Mobility + Security E3 internal use licenses, which includes Azure AD Premium P1 (normally $6/user/month), which includes the ability to set up Conditional Access Policies (CAPs). After applying that to just one user in my tenant, the Add button is no longer grayed out and I can start adding CAPs. So I'm pretty sure I could get VBO working again by disabling Security Defaults, then setting up granular CAPs and allowing legacy auth for the VBO service account.

Also thanks to this thread, I'm not sure that's a good idea.

Not sure if this helps, but I haven't seen anyone mention here that Exchange Powershell now fully supports modern auth MFA. I guess I can't post links here, but you can find the Microsoft docs article by searching for "Connect to Exchange Online PowerShell using multi-factor authentication." It's inconvenient (requires installing a helper app), but it works. Of course that only requires temporary access whereas Veeam requires permanent, service-level access, so not sure if the tokens could be obtained and stored the same way.

In the opening entry for case 04009203, I've posted a link to a competitor's O365 backup app that as far as I know obtains and retains all its permissions through modern auth. It's basically a full screen of "Is it okay to give this app the following permissions?" Of course I don't know if Veeam needs permissions that the other app doesn't, or if the other app is excluding items that Veeam captures.

Looking forward to seeing Veeam's solution to this!

[paulyberg]

My tenant doesn't even have access to use app passwords anymore, even with the "Allow users to create app passwords to sign in to non-browser apps" service setting enabled. If you enforce Multi-Factor Authentication through Conditional Access policies and not through per-user MFA, you cannot create app passwords. Applications that use Conditional Access policies to control access do not need app passwords. (https://docs.microsoft.com/en-us/azure/ ... -passwords) In fact, the preview version of the new AAD combined SSPR / MFA registration experience hides the option to create app passwords entirely, so it appears Microsoft is very close to disabling this option on tenants everywhere (https://docs.microsoft.com/en-us/azure/ ... r-combined)

Microsoft is completely disabling the legacy / basic auth methods in Exchange Online in October 2020, so keep in mind this will start to affect everyone very soon. (https://techcommunity.microsoft.com/t5/ ... -p/1191282)

As of now we've spent the last 6 months of our 12 month Veeam O365 subscription without O365 backups because of the problem with not being able to use app passwords.

[Polina]

Hi Paul,

VBO is getting ready for the changes and will be able to work without app passwords and legacy protocols. The functionality will remain as rich as Graph APIs allow to implement, but some limitations are inevitable.

In your case with CA policies, a workaround would have been first to manually enable your backup service account for MFA and create an app password before enabling the CA policies (based on what we were seeing in our labs).

Thanks!

[jmerchan]

Hello.

We are Microsoft CSP partner, and Microsoft forced to all csp partners to enable Security Defaults before 29 February

But when we enabled Office365 Security Defaults, backups from Veeam for Office 365 v4 stopped working

Is there another Microsoft CSP Partner that resolved this issue?

Thanks, best regards

[Polina]

Hi Jose,

I merged your post to the relevant discussion.

To get your backups working again while staying compliant to Microsoft partner security requirements, you'll need to disable security defaults and configure a set of common CA policies instead. Make sure to exclude your VBO service account from the Block legacy authentication policy, since legacy protocols are currently required for VBO. Also, make sure to enable app passwords for your service account, as documented here.

Thanks!

[jcl2rk]

I have ensured security defaults are disabled.
I made the policy that excludes vbo_account from legacy auth.
I'm still getting this error

"Check legacyAuthProtocolsEnabled: "center" is an unexpected token.
The expected token is "". Line 7, position 12.


Any suggestion? Thanks!

Case #04019814

[mamosorre84]

Hi Jose,

I merged your post to the relevant discussion.

To get your backups working again while staying compliant to Microsoft partner security requirements, you'll need to disable security defaults and configure a set of common CA policies instead. Make sure to exclude your VBO service account from the Block legacy authentication policy, since legacy protocols are currently required for VBO. Also, make sure to enable app passwords for your service account, as documented here.

Thanks!

Hello Polina,

just to better understand..this change is due to Microsoft security requirements updated or something introduced with the VBO v4 version?

Before upgrade from v3 to v4 my backups worked fine, I don't know if it is just a coincidence..

Thanks

Marco S.

[JamieRidgeway]

Hi,

With Microsoft depreciating basic authentication for Exchange Online in October 2020 I raised a support case to check if this would affect our tenants backups currently using basic authentication. It now sounds like this will affect all backups no matter if they are using basic or modern authentication, as both still utilise some kind of basic auth on the 365 side.

Can you advise if there will be an update that will avoid this causing a major problem with the product?

Kind regards
Jamie

[nielsengelen]

Jamie, we are working hard on a solution for this sudden change. As you stated, it was ment for October but pushed forward by Microsoft.

[mamosorre84]

Hi,

I don't understand, also Veeam account with MFA is affected?

Thanks

Marco S.

[nielsengelen]

It is a change on Microsoft’s side, not on Veeam. We will resolve this issue. If you are facing specific errors or issues, you should contact support for insight.

[mamosorre84]

Hi Niels,

I'm glad to hear you're working on it, but even if it is a change on the Microsoft side, it would be useful for Veeam users to have an official KB where the problem and the possible workaround are indicated, rather than wasting time opening tickets..

Marco S.

[nielsengelen]

Marco, the reason why I mention using support is because you stated v3 was working and v4 isn't working but it isn't clear what error you are seeing and if it is related to this.

[mamosorre84]

Hi Niels,

the errors are:

Connect to EWS: The request failed with HTTP status 401: Unauthorized.
Connect to PowerShell: Connecting to remote server outlook.office365.com failed with the following error message : Access is denied

I'm using VBO265 latest patch (4.0.0.2516), and testing both with MFA and legacy account configured as https://www.veeam.com/kb2969

I'd like to understand if I'm in this "bug" or not.

If not, it makes sense to open a ticket..

Thanks

Marco S.

[nielsengelen]

Marco, please open a ticket as this message can mean multiple things. I can't say if it is related to this change by Microsoft or not as this is most likely a configuration issue for the used account. Could you also give us the case ID once opened (can be in private message)?

[mamosorre84]

Ok, thank you

[Polina]

@mamosorre84,

This may be a coincidence if along with the VBO upgrade you have changed the security settings in your O365 Admin Center and enabled the new Security Defaults.
Please continue working with support engineers; we'll follow up on the investigation by your case ID.

Thanks!

[thomas_ack]

we are facing the same issues. Veeam Case #04034139
We are hoping for a fast fix because we cannot change anything ourselfs. As already mentioned, Security defaults are mandatory for CSP partners and legacy auth is shut down completely for this tenant.

[Polina]

Tomas,

Following Microsoft documentation, security defaults are not mandatory for partners to stay compliant. The main requirement is to enable MFA for all users within a tenant with no exceptions.

However, we do understand your concerns and are working now to ensure the VBO support for any O365 tenants regardless of their configuration. The fix is coming soon, please stay tuned for updates here on forums.

Thanks!

[Polina]

... it would be useful for Veeam users to have an official KB where the problem and the possible workaround are indicated...

Please refer to KB 3125 for more information on the workaround.

[m.novelli]

Hi guys, just got this newsletter from SkyKick competitor. Seems they are able to work even with Security Defaults turned on, thanks to an "Azure Active Directory Agent (AADA)"

Cheers

Dear Marco,

Security in the Cloud has become only more important recently with the dramatic acceleration of remote working scenarios. Over the past several years SkyKick’s focus has been developing the technology to protect your customers’ intellectual property through continued product innovation. Today, we are taking the next step in our commitment to security by transitioning from basic to modern authentication with the support of OAuth. This will allow Multi-Factor Authentication (MFA) to be enabled on all user accounts in Office 365.

Moving forward, when creating a new subscription on the SkyKick Partner Portal or most marketplaces, Office 365 global administrator credentials will be provided directly to Microsoft. This modern authentication flow installs the SkyKick Azure AD application for more secure access. Additionally, Cloud Backup introduced some minor user experience updates based on partner feedback. You can learn more about the latest Cloud Backup subscription management options here.

So, what do I need to do?

For all active subscriptions, SkyKick recommends that you enable Security Defaults on Office 365 tenants and change the password for the tenant’s global administrator account provided during initial subscription creation. There is no additional action required on your part. SkyKick has updated the subscriptions to support modern authentication.

What about subscriptions placed through marketplaces?

SkyKick is working closely with the marketplaces to help with the transition to modern authentication. In some marketplaces, the transition has already been completed. For these, global administrator credentials will be provided directly to Microsoft. However, with some you will still need to provide the global administrator credentials on their site using basic authentication. For those, once Cloud Backup has installed the Azure Active Directory Agent (AADA), those credentials are no longer required, so you can then change the administrator’s password and enable Security Defaults on Office 365 tenant. To get full list of marketplaces which support modern authentication, please see Marketplaces and authentication for Cloud Backup.

[nielsengelen]

Hi Marco, we are working on an update for this to support this change by Microsoft asap. We'll update this thread once it is available.

[m.novelli]

Super!

[m.novelli]

Today I've upgraded to VBO 4.0.0.2516 (before I had build 4.0.0.1553) and I've tried again to connect to O365 with Security Defaults turned ON and... it worked! I don't know if Microsoft changed something on the backend

VBO is backupping right now my mailboxes, I'm super happy

Marco

[mamosorre84]

I confirm it works now!

Waiting for Veeam official announcement..

Marco S.

[Mildur]

Microsoft has postponed the process of disabling Basic Auth to 2021. This could be the reason, that it‘s working again Something changed in the background, either if you have enabled or disabled security settings.

https://techcommunity.microsoft.com/t5/ ... M.facebook

[Mike Resseler]

@Mildur Yep, we have seen the same news. We will look into this during this week to see what effectively has changed on the backend. If this is the case, it does has a few advantages:
* We are working on a full MFA support version (out soon) but it does come with a few limitations
* As an example, you will see that creating a job with dynamic distribution groups won't work anymore because we cannot query the information without basic auth. And there is other functionality that doesn't work because it is not available in the newest methods for query.
* We made MSFT aware of it, and they are very willing to work on it, but it obviously takes some time.
So basically, with this new deadline, there is a change that we will have full functionality again by 2021, while supporting the default security baseline very soon. Fingers crossed