Maintain control of your Microsoft Office 365 email data
omegagx
Enthusiast
Posts: 49
Liked: 2 times
Joined: May 09, 2017 6:33 pm
Full Name: Michael Gorn
Contact:

Microsoft will force MFA for all Global Admins in O365 soon

Post by omegagx » Jul 17, 2018 7:58 pm

Microsoft just released this baseline policy in preview:
https://cloudblogs.microsoft.com/enterp ... c-preview/
but it will shortly enable this for everyone, forcing all Global Administrators to have MFA turned on. This baseline policy is available under: https://portal.azure.com/#blade/Microso ... e/Policies

As soon as we enabled this policy, Veeam Backup for Microsoft Office 365 broke with the following errors:

Code: Select all

Connecting to remote server outlook.office365.com failed with the following error message : Access is denied.
For more information, see the about_Remote_Troubleshooting Help topic.
and

Code: Select all

The request failed with HTTP status 401: Unauthorized.
Looks like Microsoft supported connecting to Exchange Online using PowerShell with MFA, since the middle of last year:
https://docs.microsoft.com/en-us/powers ... xchange-ps

You just need to use the following string:

Code: Select all

Connect-EXOPSSession -UserPrincipalName <UPN>
instead of these commands:

Code: Select all

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Since "Veeam for Office 365" doesn't support MFA, it appears that as soon as Microsoft makes this baseline policy the default (soon), your product will no longer support "Office 365". :-( :( :( :(

When would Veeam start supporting MFA? Currently we can no longer this product since we are required to use this baseline policy. We also opened a support case #03105881 on this.
Thanks.

Mike Resseler
Product Manager
Posts: 5446
Liked: 573 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by Mike Resseler » Jul 18, 2018 5:17 am

Hi Michael,

I understand that you need to enable this policy but there are a few remarks that I would like to make (and you will see below, I will make remarks on our software also)

1. Even if you enable this policy, I trust you are adding a emergency access account as an exclusion? A service account can be added there also. The reason for this VBO service account is quite simple. We can love MFA, but a solution cannot work if the service account has MFA enabled. MFA requires human interaction. So you will always need somewhere an account without MFA. This is not only for us, this will be for many solutions that connect to O365 (or other cloud services) and need interaction and authentication.
2. After GA (we are very close) of 2.0 we will do some testing with the concept of app-passwords to see what the results are.
3. EWS has received end of life statement (2020). This will require us to make some changes (which we are investigation already) and one of the changes will be that applications need to be written so they become trusted applications, bypassing the MFA requirement (Yes, this is a Microsoft requirement so one way or another, in the future, you still will have some parts in your organization that bypasses MFA)
4. What we certainly should do (and consider this a feature request that I am very aware off ;-)) is the possibility to offer MFA when you do a restore with a specific account. To me personally, this is a high-priority one.

Now for some questions from my side ;-)
1. Will an app-password be good enough as a start to continue working with our solution?
2. In the future, what would be your preference (for the service account) to bypass the MFA requirement. And, are you willing to "renew" the MFA bypass every X day (You can bypass for example for 30 days, but then you need to renew again...)

Hope it helps, let me know if you need more clarification
Mike

omegagx
Enthusiast
Posts: 49
Liked: 2 times
Joined: May 09, 2017 6:33 pm
Full Name: Michael Gorn
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by omegagx » Jul 18, 2018 1:16 pm

Looks like this baseline policy doesn't allow for exceptions - if an account is a Global Administrator, then MFA is enabled. I couldn't find a way to exclude an account from it.

Currently, we are unable to backup any of our Exchange Online mailboxes, so any solution would work. Can you walk me through creating an application password to fix this issue?

MILJW002
Enthusiast
Posts: 30
Liked: 2 times
Joined: Apr 29, 2017 2:26 pm
Full Name: James Miller
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by MILJW002 » Jul 18, 2018 1:21 pm

Hi,

Just one thing. You don’t need a Global Admin account for backup. I made a custom role in Exchange Online and this is the only access my service account is using. The roles were:

ApplicationImpersonation
View-Only Configuration
View-Only Recipients

J

Mike Resseler
Product Manager
Posts: 5446
Liked: 573 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by Mike Resseler » Jul 18, 2018 1:21 pm

Hmmm,

In the first link you sent us, there is a screenshot under point 4. At the bottom you see the exclusion. Could you check if you can see it?

omegagx
Enthusiast
Posts: 49
Liked: 2 times
Joined: May 09, 2017 6:33 pm
Full Name: Michael Gorn
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by omegagx » Jul 18, 2018 5:45 pm

Any reason why the "release notes" or documentation don't specify that enabling MFA will break the product?

Mike Resseler
Product Manager
Posts: 5446
Liked: 573 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by Mike Resseler » Jul 18, 2018 5:54 pm

Michael,

Not really. Actually a good tip to add to the notes. Probably my mind that concluded automatically that MFA cannot work for a service account ;-)

omegagx
Enthusiast
Posts: 49
Liked: 2 times
Joined: May 09, 2017 6:33 pm
Full Name: Michael Gorn
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by omegagx » Jul 18, 2018 6:00 pm

I also couldn't find any KB articles on this issue even though it was first reported on this forum in 2016.

DavidReimers
Enthusiast
Posts: 48
Liked: 2 times
Joined: Sep 20, 2010 4:39 am
Full Name: David Reimers
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by DavidReimers » Jul 23, 2018 4:41 am 1 person likes this post

Using MFA for Exchange Online PowerShell is relatively straightforward and well documented above.

What is tricker is getting Azure AD to work. You need PowerShell Gallery to get the updated Azure AD modules, and that needs PowerShell 5, and that needs Windows Management Framework 5. This is a good backgrounder on PowerShell Gallery: https://docs.microsoft.com/en-us/powers ... ng-started

Get Windows Management Framework 5.1 (https://www.microsoft.com/en-us/downloa ... x?id=54616)
Once you've got WMF 5, installed it and rebooted, get PowerShell Gallery (https://www.powershellgallery.com).
Once you've got that, install the latest PowerShell Get (https://www.powershellgallery.com/packa ... lGet/1.6.6). The command is:

Code: Select all

Install-Module -Name PowerShellGet -Force
Then you can get the AzureADPreview module. I used the preview version, because I needed the newer commands to manipulate the organisation policies for authentication timeouts. https://www.powershellgallery.com/packages/AzureAD/ In true Microsoft fashion, the preview version is needed to actually do a lot of the newer command like New-AzureADPolicy.

Code: Select all

Install-Module -Name AzureADPreview


or, if you've already got AzureAD installed

Code: Select all

Install-Module -Name AzureADPreview -allowclobber


Once you've got all this done, you can then load the AzureAD modules:

Code: Select all

import-module AzureADPreview 
connect-AzureAD
And you'll get the Modern Auth-style dialog pop up.

Hope this helps anyone struggling with it. We have previously just turned off MFA temporarily but I suspect this will be increasingly harder to do in future.

thuizenga
Influencer
Posts: 22
Liked: never
Joined: May 08, 2010 2:00 am
Full Name: Travis h
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by thuizenga » Aug 21, 2018 8:53 pm

Mike Resseler wrote:Hi Michael,

I understand that you need to enable this policy but there are a few remarks that I would like to make (and you will see below, I will make remarks on our software also)

1. Even if you enable this policy, I trust you are adding a emergency access account as an exclusion? A service account can be added there also. The reason for this VBO service account is quite simple. We can love MFA, but a solution cannot work if the service account has MFA enabled. MFA requires human interaction. So you will always need somewhere an account without MFA. This is not only for us, this will be for many solutions that connect to O365 (or other cloud services) and need interaction and authentication.
2. After GA (we are very close) of 2.0 we will do some testing with the concept of app-passwords to see what the results are.
3. EWS has received end of life statement (2020). This will require us to make some changes (which we are investigation already) and one of the changes will be that applications need to be written so they become trusted applications, bypassing the MFA requirement (Yes, this is a Microsoft requirement so one way or another, in the future, you still will have some parts in your organization that bypasses MFA)
4. What we certainly should do (and consider this a feature request that I am very aware off ;-)) is the possibility to offer MFA when you do a restore with a specific account. To me personally, this is a high-priority one.

Now for some questions from my side ;-)
1. Will an app-password be good enough as a start to continue working with our solution?
2. In the future, what would be your preference (for the service account) to bypass the MFA requirement. And, are you willing to "renew" the MFA bypass every X day (You can bypass for example for 30 days, but then you need to renew again...)

Hope it helps, let me know if you need more clarification
Mike
+1 for app password support.

I just started testing version 2.0 and was excited to try out one drive / share point features, but was slapped in the face with a 401 error. Support suggested i set "Apps that don't use modern authentication" to allow?

There is no way we could make that change, we use mam policies which would all be disabled by making that change.

Mike Resseler
Product Manager
Posts: 5446
Liked: 573 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by Mike Resseler » Aug 22, 2018 5:20 am 1 person likes this post

Hey Travis,

We are working on something at this moment but it will take us some time. We are investigating different solutions to solve this problem

Robvil
Expert
Posts: 128
Liked: 8 times
Joined: Oct 03, 2016 12:41 pm
Full Name: Robert
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 s

Post by Robvil » Aug 28, 2018 8:16 pm

Under Azure AD "Conditional access - Policies" you can exclude admin users which should not have MFA required.

thuizenga
Influencer
Posts: 22
Liked: never
Joined: May 08, 2010 2:00 am
Full Name: Travis h
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by thuizenga » Oct 11, 2018 8:12 pm

just curious if anyone has had any luck with this. we went in create a new user and created a new role and assigned the role to exchange and mailbox backups seam to still be working but am trying to figure out how to grant the permission for sharepoint/onedirve. The precheck comes out fine, but i still get the same error when trying to do backups other than mailbox.

Mike Resseler
Product Manager
Posts: 5446
Liked: 573 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by Mike Resseler » Oct 12, 2018 4:56 am

Travis,

Did you exclude that user from MFA?

thuizenga
Influencer
Posts: 22
Liked: never
Joined: May 08, 2010 2:00 am
Full Name: Travis h
Contact:

Re: Microsoft will force MFA for all Global Admins in O365 soon

Post by thuizenga » Oct 15, 2018 8:27 pm

we don't see multi-factor being enabled for this user.

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 1 guest