Maintain control of your Microsoft Office 365 email data
Post Reply
omegagx
Enthusiast
Posts: 57
Liked: 3 times
Joined: May 09, 2017 6:33 pm
Full Name: Michael Gorn
Contact:

Microsoft will force MFA for all Global Admins in O365 soon

Post by omegagx » Jul 17, 2018 7:58 pm

Microsoft just released this baseline policy in preview:
https://cloudblogs.microsoft.com/enterp ... c-preview/
but it will shortly enable this for everyone, forcing all Global Administrators to have MFA turned on. This baseline policy is available under: https://portal.azure.com/#blade/Microso ... e/Policies

As soon as we enabled this policy, Veeam Backup for Microsoft Office 365 broke with the following errors:

Code: Select all

Connecting to remote server outlook.office365.com failed with the following error message : Access is denied.
For more information, see the about_Remote_Troubleshooting Help topic.
and

Code: Select all

The request failed with HTTP status 401: Unauthorized.
Looks like Microsoft supported connecting to Exchange Online using PowerShell with MFA, since the middle of last year:
https://docs.microsoft.com/en-us/powers ... xchange-ps

You just need to use the following string:

Code: Select all

Connect-EXOPSSession -UserPrincipalName <UPN>
instead of these commands:

Code: Select all

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Since "Veeam for Office 365" doesn't support MFA, it appears that as soon as Microsoft makes this baseline policy the default (soon), your product will no longer support "Office 365". :-( :( :( :(

When would Veeam start supporting MFA? Currently we can no longer this product since we are required to use this baseline policy. We also opened a support case #03105881 on this.
Thanks.

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by Mike Resseler » Jul 18, 2018 5:17 am

Hi Michael,

I understand that you need to enable this policy but there are a few remarks that I would like to make (and you will see below, I will make remarks on our software also)

1. Even if you enable this policy, I trust you are adding a emergency access account as an exclusion? A service account can be added there also. The reason for this VBO service account is quite simple. We can love MFA, but a solution cannot work if the service account has MFA enabled. MFA requires human interaction. So you will always need somewhere an account without MFA. This is not only for us, this will be for many solutions that connect to O365 (or other cloud services) and need interaction and authentication.
2. After GA (we are very close) of 2.0 we will do some testing with the concept of app-passwords to see what the results are.
3. EWS has received end of life statement (2020). This will require us to make some changes (which we are investigation already) and one of the changes will be that applications need to be written so they become trusted applications, bypassing the MFA requirement (Yes, this is a Microsoft requirement so one way or another, in the future, you still will have some parts in your organization that bypasses MFA)
4. What we certainly should do (and consider this a feature request that I am very aware off ;-)) is the possibility to offer MFA when you do a restore with a specific account. To me personally, this is a high-priority one.

Now for some questions from my side ;-)
1. Will an app-password be good enough as a start to continue working with our solution?
2. In the future, what would be your preference (for the service account) to bypass the MFA requirement. And, are you willing to "renew" the MFA bypass every X day (You can bypass for example for 30 days, but then you need to renew again...)

Hope it helps, let me know if you need more clarification
Mike

omegagx
Enthusiast
Posts: 57
Liked: 3 times
Joined: May 09, 2017 6:33 pm
Full Name: Michael Gorn
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by omegagx » Jul 18, 2018 1:16 pm

Looks like this baseline policy doesn't allow for exceptions - if an account is a Global Administrator, then MFA is enabled. I couldn't find a way to exclude an account from it.

Currently, we are unable to backup any of our Exchange Online mailboxes, so any solution would work. Can you walk me through creating an application password to fix this issue?

MILJW002
Enthusiast
Posts: 30
Liked: 2 times
Joined: Apr 29, 2017 2:26 pm
Full Name: James Miller
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by MILJW002 » Jul 18, 2018 1:21 pm

Hi,

Just one thing. You don’t need a Global Admin account for backup. I made a custom role in Exchange Online and this is the only access my service account is using. The roles were:

ApplicationImpersonation
View-Only Configuration
View-Only Recipients

J

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by Mike Resseler » Jul 18, 2018 1:21 pm

Hmmm,

In the first link you sent us, there is a screenshot under point 4. At the bottom you see the exclusion. Could you check if you can see it?

omegagx
Enthusiast
Posts: 57
Liked: 3 times
Joined: May 09, 2017 6:33 pm
Full Name: Michael Gorn
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by omegagx » Jul 18, 2018 5:45 pm

Any reason why the "release notes" or documentation don't specify that enabling MFA will break the product?

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by Mike Resseler » Jul 18, 2018 5:54 pm

Michael,

Not really. Actually a good tip to add to the notes. Probably my mind that concluded automatically that MFA cannot work for a service account ;-)

omegagx
Enthusiast
Posts: 57
Liked: 3 times
Joined: May 09, 2017 6:33 pm
Full Name: Michael Gorn
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by omegagx » Jul 18, 2018 6:00 pm

I also couldn't find any KB articles on this issue even though it was first reported on this forum in 2016.

DavidReimers
Enthusiast
Posts: 49
Liked: 2 times
Joined: Sep 20, 2010 4:39 am
Full Name: David Reimers
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by DavidReimers » Jul 23, 2018 4:41 am 1 person likes this post

Using MFA for Exchange Online PowerShell is relatively straightforward and well documented above.

What is tricker is getting Azure AD to work. You need PowerShell Gallery to get the updated Azure AD modules, and that needs PowerShell 5, and that needs Windows Management Framework 5. This is a good backgrounder on PowerShell Gallery: https://docs.microsoft.com/en-us/powers ... ng-started

Get Windows Management Framework 5.1 (https://www.microsoft.com/en-us/downloa ... x?id=54616)
Once you've got WMF 5, installed it and rebooted, get PowerShell Gallery (https://www.powershellgallery.com).
Once you've got that, install the latest PowerShell Get (https://www.powershellgallery.com/packa ... lGet/1.6.6). The command is:

Code: Select all

Install-Module -Name PowerShellGet -Force
Then you can get the AzureADPreview module. I used the preview version, because I needed the newer commands to manipulate the organisation policies for authentication timeouts. https://www.powershellgallery.com/packages/AzureAD/ In true Microsoft fashion, the preview version is needed to actually do a lot of the newer command like New-AzureADPolicy.

Code: Select all

Install-Module -Name AzureADPreview


or, if you've already got AzureAD installed

Code: Select all

Install-Module -Name AzureADPreview -allowclobber


Once you've got all this done, you can then load the AzureAD modules:

Code: Select all

import-module AzureADPreview 
connect-AzureAD
And you'll get the Modern Auth-style dialog pop up.

Hope this helps anyone struggling with it. We have previously just turned off MFA temporarily but I suspect this will be increasingly harder to do in future.

thuizenga
Influencer
Posts: 24
Liked: never
Joined: May 08, 2010 2:00 am
Full Name: Travis h
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by thuizenga » Aug 21, 2018 8:53 pm

Mike Resseler wrote:Hi Michael,

I understand that you need to enable this policy but there are a few remarks that I would like to make (and you will see below, I will make remarks on our software also)

1. Even if you enable this policy, I trust you are adding a emergency access account as an exclusion? A service account can be added there also. The reason for this VBO service account is quite simple. We can love MFA, but a solution cannot work if the service account has MFA enabled. MFA requires human interaction. So you will always need somewhere an account without MFA. This is not only for us, this will be for many solutions that connect to O365 (or other cloud services) and need interaction and authentication.
2. After GA (we are very close) of 2.0 we will do some testing with the concept of app-passwords to see what the results are.
3. EWS has received end of life statement (2020). This will require us to make some changes (which we are investigation already) and one of the changes will be that applications need to be written so they become trusted applications, bypassing the MFA requirement (Yes, this is a Microsoft requirement so one way or another, in the future, you still will have some parts in your organization that bypasses MFA)
4. What we certainly should do (and consider this a feature request that I am very aware off ;-)) is the possibility to offer MFA when you do a restore with a specific account. To me personally, this is a high-priority one.

Now for some questions from my side ;-)
1. Will an app-password be good enough as a start to continue working with our solution?
2. In the future, what would be your preference (for the service account) to bypass the MFA requirement. And, are you willing to "renew" the MFA bypass every X day (You can bypass for example for 30 days, but then you need to renew again...)

Hope it helps, let me know if you need more clarification
Mike
+1 for app password support.

I just started testing version 2.0 and was excited to try out one drive / share point features, but was slapped in the face with a 401 error. Support suggested i set "Apps that don't use modern authentication" to allow?

There is no way we could make that change, we use mam policies which would all be disabled by making that change.

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by Mike Resseler » Aug 22, 2018 5:20 am 1 person likes this post

Hey Travis,

We are working on something at this moment but it will take us some time. We are investigating different solutions to solve this problem

Robvil
Expert
Posts: 129
Liked: 13 times
Joined: Oct 03, 2016 12:41 pm
Full Name: Robert
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by Robvil » Aug 28, 2018 8:16 pm

Under Azure AD "Conditional access - Policies" you can exclude admin users which should not have MFA required.

thuizenga
Influencer
Posts: 24
Liked: never
Joined: May 08, 2010 2:00 am
Full Name: Travis h
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by thuizenga » Oct 11, 2018 8:12 pm

just curious if anyone has had any luck with this. we went in create a new user and created a new role and assigned the role to exchange and mailbox backups seam to still be working but am trying to figure out how to grant the permission for sharepoint/onedirve. The precheck comes out fine, but i still get the same error when trying to do backups other than mailbox.

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by Mike Resseler » Oct 12, 2018 4:56 am

Travis,

Did you exclude that user from MFA?

thuizenga
Influencer
Posts: 24
Liked: never
Joined: May 08, 2010 2:00 am
Full Name: Travis h
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by thuizenga » Oct 15, 2018 8:27 pm

we don't see multi-factor being enabled for this user.

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by Mike Resseler » Oct 16, 2018 7:44 am

Travis,

Please make a support call for this. I believe I heard about this before and if I am right, our support team can get you fixed. (And as always, please post the case ID here and the outcome after investigation with the engineers)

Thanks
Mike

thuizenga
Influencer
Posts: 24
Liked: never
Joined: May 08, 2010 2:00 am
Full Name: Travis h
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by thuizenga » Oct 16, 2018 4:09 pm

we got it to work by enabling legacy protocols for the newly created user.

connect-sposervice
set-spotenant -legacyauthprotocolsenabled $true
set-spotenant -requireacceptingaccountmatchinvitedaccount $false

Yeah!

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by Mike Resseler » Oct 17, 2018 7:35 am

Thanks Travis.

I will need to look into these PS cmdlets to truly understand what is going on in the backend. I'm not sure to be honest why it needs to be done (I actually thought this was enabled by default...)

stvajnkf
Enthusiast
Posts: 45
Liked: 13 times
Joined: Jan 03, 2017 5:25 pm

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by stvajnkf » Nov 12, 2018 9:05 pm

As of version 2.0.0.567 and 11/12/2018, two-factor authentication is still not working for the main service account that lets Veeam connect to the Office 365 server. It fails when it tries to connect to Microsoft Graph, preventing me from going any further with the backup job setup.

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by Mike Resseler » Nov 13, 2018 8:57 am 1 person likes this post

@Stvajnkf,

Our next version will have MFA support and will work with app secrets. I can't give any ETA at this point in time though

jrick
Service Provider
Posts: 22
Liked: 2 times
Joined: Jan 31, 2018 9:31 am
Full Name: Julien Rick
Location: Luxembourg
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by jrick » Jan 10, 2019 11:21 am

Any news about VBO365 and MFA ? My mail team explained me that Microsoft will force MFA for administrators in February and VBO365 need an account with Sharepoint Admin right.

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by Mike Resseler » Jan 10, 2019 1:06 pm

Hey Julien,

Can you ask your team where they have found that? I am aware that the default will become MFA-enabled but it is still changeable at your own discretion and if it is not MFA enabled today, it won't be then.

But maybe I missed somewhere an announcement?

Thanks
Mike

DannyMurphy
Influencer
Posts: 15
Liked: 2 times
Joined: Nov 01, 2017 1:24 pm
Full Name: Danny Murphy
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by DannyMurphy » Jan 21, 2019 4:12 pm

Hi Mike,

The enforcement comes from Partner Centre. It gives this link to a PDF to see whats changing and why: http://assetsprod.microsoft.com/securit ... ts-faq.pdf

It'll affect the APIs for partner centre but i don't believe Veeam uses these so it shouldn't affect it. They are however forcing it for all admins soon after according to the Azure which you can see on this link: https://aka.ms/cabaselinemfaforadmins

Polina
Veeam Software
Posts: 828
Liked: 115 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by Polina » Jan 23, 2019 10:43 am

Hi Danny,

Thanks for the info.
First and foremost, we clearly realize the need and urgency for introducing support for MFA-enabled accounts in VBO, and it's already on our roadmap.
Still, the transition to the new baseline policy should be smooth, as Microsoft provides a temporary workaround allowing to exclude users from the policy.

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by Mike Resseler » Jan 29, 2019 7:03 am 1 person likes this post

Danny,

To add to what Polina says. MFA-enabled accounts (or better said, modern authentication) will be available in our next version and that is not far away anymore. And as Polina says, there is a workaround. But the one change I would like to make, is that it most likely won't be a temporary workaround. MSFT actually advises to have an "emergency access" acount (https://docs.microsoft.com/en-us/azure/ ... ncy-access).

But for the future, we will indeed advise everyone to use a modern authentication "service account" that will include app ID, app passwords or certificates and more. We are already prepping the documentation for it (Polina is ;-))

DannyMurphy
Influencer
Posts: 15
Liked: 2 times
Joined: Nov 01, 2017 1:24 pm
Full Name: Danny Murphy
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by DannyMurphy » Jan 31, 2019 11:57 am

Perfect, looking forward to it!

Hopefully the update after this one will bring it into B&R :P

Mike Resseler
Product Manager
Posts: 5700
Liked: 601 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by Mike Resseler » Jan 31, 2019 12:13 pm

Hey Danny,

What exactly do you mean with "bringing it into B&R"? For example, bringing it into the UI of B&R does not make any sense to me. Other items might make sense though.

DannyMurphy
Influencer
Posts: 15
Liked: 2 times
Joined: Nov 01, 2017 1:24 pm
Full Name: Danny Murphy
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by DannyMurphy » Feb 01, 2019 9:19 am

Yeah bring it into the UI. One single console for backup infrastructure and one installation, multiple licenses. Makes life easier for service providers :)

Polina
Veeam Software
Posts: 828
Liked: 115 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by Polina » Feb 01, 2019 9:58 am

Hi Danny,

From what I've heard it might be implemented in the future (never say never with Veeam :) ). But as of now isn't Veeam Availability Console meeting the need for a single backup management console?

Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests