Maintain control of your Microsoft Office 365 email data
c.schulzejn
Influencer
Posts: 23
Liked: 1 time
Joined: Oct 24, 2018 8:22 am
Full Name: Christoph Schulze
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by c.schulzejn » Nov 12, 2019 7:44 am

I know, you have to use the API Microsoft provides. So pls don't be offended.
Microsoft on the other side is pushing us as a Microsoft Partner to use the Conditional Access - Policies. As I don't know if Veeam is aware of this, I'll post some screenshots for you.

https://partner.microsoft.com/en-us/pcv ... compliance
Image
https://partner.microsoft.com/de-DE/res ... quirements#/
Image

nielsengelen
Veeam Software
Posts: 2837
Liked: 590 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen » Nov 12, 2019 7:58 am 1 person likes this post

We are aware of this but we (and Microsoft) are also aware that certain things are still not available via the new API’s and therefore we leverage the legacy path. So far this hasn’t cause any issues but we will continue to push and update as time goes on.
VCP-DCV
Veeam Certified Architect (VMCA)
http://foonet.be

Frohn
Novice
Posts: 9
Liked: 3 times
Joined: Oct 17, 2018 6:13 pm
Full Name: Christian Petersen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Frohn » Dec 02, 2019 9:49 am 1 person likes this post

Hello

My company are in the process of implementing VBO atm. and we have also stumbled upon the need for the SPO legacy protocol to be enabled.

We talked to our contacts at Veeam about and they gave us the solution mentioned in this forum thread.

We then decided to dig deep into the solution to see if was okay to implement (We are currently using CA).
I talked to a colleague of mine who is a Microsoft MVP in Enterprise mobility and asked him to look at the solution provided.
He then got back to me and told me - short version: "You cannot use CA to prevent the use of the legacy protocol, because the legacy protocol cannot handle CA enforcement. CA is a top-level security measure and when you enabled the legacy protocol in SPO, you can then bypass CA with just username & password"

My first response was, are you sure? - He then went a little further and ask a couple of other MVPs with in-depth knowledge of CA policy's and 3 of them told him that he was right in was he told me. One other MVP was not, and said the exact opposite.
He then went on to ask a Microsoft employee that works in the Intune team and he then confirm what the 3 other MVPs has told him.

We have now reached out to our contacts at Microsoft to get an answer on the question "Its's safe to enable the legacy protocol in SPO and then use CA to protect it" - We currently still waiting on the answer.

This is from a blog post regarding this topic:
Some cloud apps also support legacy authentication protocols. This applies, for example, to SharePoint Online and Exchange Online. When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a conditional access policy on this access attempt. To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps.
- This is taken from a Microsoft MVP (Enterprise mobility) - https://alberthoitingh.com/2018/04/26/m ... on-beware/ -
His source is: https://docs.microsoft.com/en-us/azure/ ... -practices

And that is basically confirms what we have been told so fare.

So, my question to you guys that have enabled the legacy protocol in SPO and are using CA to protect it. Do you have any confirmation from an official source that it's absolutely 100% safe? and it's not lowering your security standard?

frankive
Service Provider
Posts: 901
Liked: 106 times
Joined: May 14, 2013 8:35 pm
Full Name: Frank Iversen
Location: Norway
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by frankive » Dec 04, 2019 8:14 am 1 person likes this post

*chewing popcorn on this*

Mike Resseler
Product Manager
Posts: 5887
Liked: 647 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » Dec 10, 2019 10:51 am

Hey,

Sorry about my late reply... I have been a bit busy releasing lately :-). I disagree with the MVP on his statement. Having a legacy user / pwd with CA based on IP/ location seems very safe. But that said, we can continue the discussion what is safest and in that case the only outcome will be that you will need to do 2FA each time our service wants to connect to O365 (and you would need to do that with your outlook then also...). More importantly:

We are obviously aware that we need to come up with a solution so we can support connection without legacy authentication protocol. And we are actively working / researching this. However, it will come at a cost. Certain items won't be protected, and certain restores won't be possible. Maybe later they will become available again if we can do everything through Graph, but as of today, we need to work with CMOS (SPO / O4B) and EWS (Exchange Online). Because of these services, we are limited in certain things.

Hope that makes it a bit more clear

Frohn
Novice
Posts: 9
Liked: 3 times
Joined: Oct 17, 2018 6:13 pm
Full Name: Christian Petersen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Frohn » Dec 10, 2019 5:07 pm

Hey Mike

Thank you for taking the time to post an answer on the topic

The solution with CA based on IP / location and specif SA, is not that safe. It does prevent the protocol from being used by users, but CA doesn't work until after the authentication has been confirmed.

That means, if we do make use of the solution with CA, we have now just provide a platform to brute force attacks. Because everyone will be able to test the username & password against the legacy protocol, and when the password is guessed, CA will tell you that you can not get in.
So now an attacker knows the password of the user.

i'm aware that Veeam and Microsoft are working on resolving the need for the legacy protocol in the application.

Mike Resseler
Product Manager
Posts: 5887
Liked: 647 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » Dec 10, 2019 5:10 pm

Hmmm,

I didn't know that. If that is the case, I actually need to talk to MSFT, because that workflow is wrong. To me, authentication should not even be tried because the first thing that should be checked is CA

Frohn
Novice
Posts: 9
Liked: 3 times
Joined: Oct 17, 2018 6:13 pm
Full Name: Christian Petersen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Frohn » Dec 10, 2019 5:42 pm

Hey Mike

Thanks for the quick reply.

That is endeed the case. CA is happing "post-authentication" on the legacy protocol.

I'm currently working on get answer from MS on the topic about CA and the legacy protocol. If you decied to contact them, I would very much like to know the answer.

Mike Resseler
Product Manager
Posts: 5887
Liked: 647 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » Dec 11, 2019 8:55 am

Yes, I will contact them, but since holiday season is started, I'm pretty sure it will take some time to get a response...

c.schulzejn
Influencer
Posts: 23
Liked: 1 time
Joined: Oct 24, 2018 8:22 am
Full Name: Christoph Schulze
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by c.schulzejn » Dec 18, 2019 7:21 am

pls keep us posted.
Attacks on O365 / Azure are increasing

frankive
Service Provider
Posts: 901
Liked: 106 times
Joined: May 14, 2013 8:35 pm
Full Name: Frank Iversen
Location: Norway
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by frankive » Dec 31, 2019 12:03 pm

Does the cloud have holiday? :)

Mike Resseler
Product Manager
Posts: 5887
Liked: 647 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » Jan 01, 2020 9:14 am

Frank... The cloud not so much... people behind it... ;-)

c.schulzejn
Influencer
Posts: 23
Liked: 1 time
Joined: Oct 24, 2018 8:22 am
Full Name: Christoph Schulze
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by c.schulzejn » Jan 09, 2020 7:20 am

Quote from a recent partnermail from Microsoft:
• Blocking legacy authentication will not be enforced for partners at this time. However, as most events related to compromised identities come from sign-in attempts using legacy authentication, partners are encouraged to move away from these older protocols.

Mike Resseler
Product Manager
Posts: 5887
Liked: 647 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » Jan 09, 2020 9:21 am 1 person likes this post

Hi Christoph,

Just to be clear on this. With legacy, they mean username / password. We do support MFA with app registration, which is encouraged here. But the fact remains that we still have some legacy protocols remaining

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 2 guests