Maintain control of your Microsoft Office 365 email data
Post Reply
sevasofico
Lurker
Posts: 2
Liked: never
Joined: May 14, 2019 11:54 am
Full Name: Sven Van den Broeck
Contact:

Feature Request: 2FA protection Office 365 account

Post by sevasofico » May 15, 2019 6:48 am

Hello,

It is currently not possible to enable 2FA protection on the account used to connect to Office 365 resources.
We've enabled Modern Authentication in Veeam Backup for Office 365, but this doesn't enforce extra protection on this account.
Our company policy enforces us to protect all external accounts with 2FA, but this account (which needs to be SharePoint admin & Exchange admin) cannot be enabled for 2FA because otherwise, Veeam Backup for Office 365 cannot connect.
So, would it be possible to enlist this as a feature request?

Many thanks,
Sven

Mike Resseler
Product Manager
Posts: 5839
Liked: 640 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Feature Request: 2FA protection Office 365 account

Post by Mike Resseler » May 15, 2019 7:10 am

Hi Sven,

First: Welcome to the forums

Second: I am not sure if I understand this. MFA which we use is double authentication. 2FA (which I assume you mean username/ password and then sms or similar as second authentication) won't work because you will need to perform an action each time a backup job needs to run. That won't be pleasant for the backup admin :-). The MFA with app password is specifically created for this.

sevasofico
Lurker
Posts: 2
Liked: never
Joined: May 14, 2019 11:54 am
Full Name: Sven Van den Broeck
Contact:

Re: Feature Request: 2FA protection Office 365 account

Post by sevasofico » May 16, 2019 8:25 am

Hi Mike,

I agree the connection of Veeam Backup for Office 365 is secure with proper MFA (modern authentication).
But at the same time, it leaves the account used to connect exposed in Office 365 itself, because it can still be used to connect to Office 365 (with SharePoint & Exchange admin permissions) outside of Veeam.
Is there some way to either limit the account so it can only be used for Veeam or either to allow accounts with 2FA enabled within Veeam?
Microsoft uses a principle where you can trust a "device", so I guess our backup-server could be added as a trusted device?
That way, only the first time I would have to be required to perform double authentication.
Hopefully, this has clarified my question a bit?

Mike Resseler
Product Manager
Posts: 5839
Liked: 640 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Feature Request: 2FA protection Office 365 account

Post by Mike Resseler » May 17, 2019 5:04 am

I think I understand it now...

One of the things that I have been told by customers is that they (for example) use still basic authentication (which is still possible with O365) but use conditional access to limit the access from a specific location (the VBO server) or something similar. Would that help? By the way, if you enable it with 2FA but apply the modern authentication on it, it should work? Have you seen the whitepaper where we described the entire process? One of the things is that you still need to do this 2FA the first time (if I am not mistaken) during setup of the account.

The WP: https://www.veeam.com/wp-modern-authent ... ce-v3.html (Page 10 it starts). Hope it helps

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 4 guests