WARNING: Upgrade of v5 -> 6.0.0.367 may break if using mixed auth

[AlexHeylin]

Just a heads up to save others from possible pain. You might want to hold off upgrading v6 GA release to v6.0.0.367 for now.

We upgraded from v6 GA to 6.0.0.367 yesterday and in updating the repos a lot of them errored during upgrade but disappeared from the list of repos requiring upgrade. We took the "error" to be an artefact of the upgrade process because they weren't showing as still requiring upgrade.

However several backups on this server failed last night with

Unable to connect to the resource. The specified Azure AD application is missing required application permissions (Microsoft API: Microsoft Graph, permissions: Sites.Read.All).

This was not happening before the upgrade and this affects multiple O365 tenants to which no changes have been made. We conclude that the upgrade process is not as pain free as it could be.
A reboot has not resolved the issue. Of the tenants we've checked, all are set for modern & legacy auth. Orgs set for Modern auth only seem to be OK. If this permission is genuinely missing from O365 - it's because VBO365 didn't grant it during setup in version an earlier version.

It looks like upgrade testing of this release could have been more thorough.
1. Upgrade timed out waiting for service to stop (on a fairly fast machine)
2. "Error"s reported upgrading repos, but repos seem to have upgraded
3. This issue of with mixed auth

I'll open a support case and add the ID when I've got time later today.

[AlexHeylin]

Editing the organisation and switching to Modern Auth only and running through the rest of the wizard resolved the error and jobs now run.

It looks like the deprecation warning about legacy auth should include "You MUST remove legacy Auth now or your backups won't run".

A big heads up in the release notes would have been nice too.

I'm not opening a support case - I have too much to do (editing orgs).

[Polina]

Hi Alex,

First, when and if you get a minute, please create a support call on the issue with repositories. This is the first time when such behavior is reported and I'd like our RnD to look into it.

Next, Sites.Read.All should have come as less privileged permission than Sites.ReadWrite.All required by v5 and no issues were expected. I'll check on this one and get back.

[AlexHeylin]

Hi Polina,

Thanks for the quick response. I've created Case #05433725 for you and copied my posts over and added logs, stating I'm opening at your request.

If I understood you correctly you're saying that because v5 (and presumably v6 GA?) required (Microsoft API: Microsoft Graph, permissions: Sites.ReadWrite.All) that it should already have the permissions it needs? That makes sense to me. I'd suggest that many of the permissions VBO/VBM365 requires as Read, are probably required as ReadWrite (even if not documented as such) if you want to be able to restore to O365. I wonder if the code explicitly checks for (Microsoft API: Microsoft Graph, permissions: Sites.Read.All) rather than checking if it has access to read.

I've now updated all orgs that failed. However when I open VBM365 it still says I've got orgs running basic auth. It would be helpful if it said which orgs. Perhaps that could be added in next release?
Those orgs are running basic only auth, and they backed up fine last night. After switching to modern auth only they still backup OK. It looks like this only affected orgs set for mixed auth under <= the v5 major

Thanks

[AlexHeylin]

Quick edit to say I was upgrading v5 -> v6.0.0.367 on this server. I thought it was already running v6 GA and this was an upgrade to a post-GA fix release. It turns out I was confusing this VBO instance with another which we have already upgraded. Mod - if you're able to change the thread title, please do as I can't see a way to do that. Thanks

[Mildur]

Done

[AlexHeylin]

Just an update on this. Case #05433725 has been taken to investigate only the repo upgrade "failures" (which seem to have been spurious messages, not failures).

Support have said that the permissions errors is due to a permissions change between v5 and v6 - however the docs show no change to (Microsoft API: Microsoft Graph, permissions: Sites.Read.All). The permissions issue is going to be split out to another case and I'll edit this when I have that number.

[AlexHeylin]

Case number for permissions issue: 05442225

[AlexHeylin]

For the repo upgrade "failure" issue - support has advised:

What has been confirmed for this issue:
- It does not cause anything except the label appearance in Console.
- The upgrade itself goes and completes perfectly fine.
- After the upgrade is done, the issue does not come back to Console.

The fix will be included into the next major release.

[AlexHeylin]

For the permissions issue - the required permissions were changed DURING the v5 release cycle (and docs updated with no reference that the additional permission was only required from v5.x.y.x onwards), so when comparing the "new" required permissions for v6 against the "old" permissions for v5 there was no change (because the doc didn't give the "old" permissions for v5). Actually the change was "required" during the v5 cycle, but clearly never tested by VBO or used for these tenants because their backups worked fine. Thus (we think) the permissions was missing on some tenants set up before the permission requirement change during the v5 release, and was never used after the change in v5.

[Mike Resseler]

@AlexHeylin
@Polina is working on fixing the documentation. Hopefully this is changed by the end of this week.

Thanks for letting us know so we can improve the documentation

[AlexHeylin]

Thanks Mike & Polina