Maintain control of your Microsoft Office 365 data
c.schulzejn
Enthusiast
Posts: 37
Liked: 1 time
Joined: Oct 24, 2018 8:22 am
Full Name: Christoph Schulze
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by c.schulzejn »

I know, you have to use the API Microsoft provides. So pls don't be offended.
Microsoft on the other side is pushing us as a Microsoft Partner to use the Conditional Access - Policies. As I don't know if Veeam is aware of this, I'll post some screenshots for you.

https://partner.microsoft.com/en-us/pcv ... compliance
Image
https://partner.microsoft.com/de-DE/res ... quirements#/
Image

nielsengelen
Veeam Software
Posts: 3418
Liked: 686 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen » 1 person likes this post

We are aware of this but we (and Microsoft) are also aware that certain things are still not available via the new API’s and therefore we leverage the legacy path. So far this hasn’t cause any issues but we will continue to push and update as time goes on.
https://foonet.be

Frohn
Novice
Posts: 9
Liked: 3 times
Joined: Oct 17, 2018 6:13 pm
Full Name: Christian Petersen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Frohn » 1 person likes this post

Hello

My company are in the process of implementing VBO atm. and we have also stumbled upon the need for the SPO legacy protocol to be enabled.

We talked to our contacts at Veeam about and they gave us the solution mentioned in this forum thread.

We then decided to dig deep into the solution to see if was okay to implement (We are currently using CA).
I talked to a colleague of mine who is a Microsoft MVP in Enterprise mobility and asked him to look at the solution provided.
He then got back to me and told me - short version: "You cannot use CA to prevent the use of the legacy protocol, because the legacy protocol cannot handle CA enforcement. CA is a top-level security measure and when you enabled the legacy protocol in SPO, you can then bypass CA with just username & password"

My first response was, are you sure? - He then went a little further and ask a couple of other MVPs with in-depth knowledge of CA policy's and 3 of them told him that he was right in was he told me. One other MVP was not, and said the exact opposite.
He then went on to ask a Microsoft employee that works in the Intune team and he then confirm what the 3 other MVPs has told him.

We have now reached out to our contacts at Microsoft to get an answer on the question "Its's safe to enable the legacy protocol in SPO and then use CA to protect it" - We currently still waiting on the answer.

This is from a blog post regarding this topic:
Some cloud apps also support legacy authentication protocols. This applies, for example, to SharePoint Online and Exchange Online. When a client app can use a legacy authentication protocol to access a cloud app, Azure AD cannot enforce a conditional access policy on this access attempt. To prevent a client app from bypassing the enforcement of policies, you should check whether it is possible to only enable modern authentication on the affected cloud apps.
- This is taken from a Microsoft MVP (Enterprise mobility) - https://alberthoitingh.com/2018/04/26/m ... on-beware/ -
His source is: https://docs.microsoft.com/en-us/azure/ ... -practices

And that is basically confirms what we have been told so fare.

So, my question to you guys that have enabled the legacy protocol in SPO and are using CA to protect it. Do you have any confirmation from an official source that it's absolutely 100% safe? and it's not lowering your security standard?

frankive
Service Provider
Posts: 945
Liked: 108 times
Joined: May 14, 2013 8:35 pm
Full Name: Frank Iversen
Location: Norway
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by frankive » 1 person likes this post

*chewing popcorn on this*

Mike Resseler
Product Manager
Posts: 6122
Liked: 712 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler »

Hey,

Sorry about my late reply... I have been a bit busy releasing lately :-). I disagree with the MVP on his statement. Having a legacy user / pwd with CA based on IP/ location seems very safe. But that said, we can continue the discussion what is safest and in that case the only outcome will be that you will need to do 2FA each time our service wants to connect to O365 (and you would need to do that with your outlook then also...). More importantly:

We are obviously aware that we need to come up with a solution so we can support connection without legacy authentication protocol. And we are actively working / researching this. However, it will come at a cost. Certain items won't be protected, and certain restores won't be possible. Maybe later they will become available again if we can do everything through Graph, but as of today, we need to work with CMOS (SPO / O4B) and EWS (Exchange Online). Because of these services, we are limited in certain things.

Hope that makes it a bit more clear

Frohn
Novice
Posts: 9
Liked: 3 times
Joined: Oct 17, 2018 6:13 pm
Full Name: Christian Petersen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Frohn »

Hey Mike

Thank you for taking the time to post an answer on the topic

The solution with CA based on IP / location and specif SA, is not that safe. It does prevent the protocol from being used by users, but CA doesn't work until after the authentication has been confirmed.

That means, if we do make use of the solution with CA, we have now just provide a platform to brute force attacks. Because everyone will be able to test the username & password against the legacy protocol, and when the password is guessed, CA will tell you that you can not get in.
So now an attacker knows the password of the user.

i'm aware that Veeam and Microsoft are working on resolving the need for the legacy protocol in the application.

Mike Resseler
Product Manager
Posts: 6122
Liked: 712 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler »

Hmmm,

I didn't know that. If that is the case, I actually need to talk to MSFT, because that workflow is wrong. To me, authentication should not even be tried because the first thing that should be checked is CA

Frohn
Novice
Posts: 9
Liked: 3 times
Joined: Oct 17, 2018 6:13 pm
Full Name: Christian Petersen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Frohn »

Hey Mike

Thanks for the quick reply.

That is endeed the case. CA is happing "post-authentication" on the legacy protocol.

I'm currently working on get answer from MS on the topic about CA and the legacy protocol. If you decied to contact them, I would very much like to know the answer.

Mike Resseler
Product Manager
Posts: 6122
Liked: 712 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler »

Yes, I will contact them, but since holiday season is started, I'm pretty sure it will take some time to get a response...

c.schulzejn
Enthusiast
Posts: 37
Liked: 1 time
Joined: Oct 24, 2018 8:22 am
Full Name: Christoph Schulze
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by c.schulzejn »

pls keep us posted.
Attacks on O365 / Azure are increasing

frankive
Service Provider
Posts: 945
Liked: 108 times
Joined: May 14, 2013 8:35 pm
Full Name: Frank Iversen
Location: Norway
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by frankive »

Does the cloud have holiday? :)

Mike Resseler
Product Manager
Posts: 6122
Liked: 712 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler »

Frank... The cloud not so much... people behind it... ;-)

c.schulzejn
Enthusiast
Posts: 37
Liked: 1 time
Joined: Oct 24, 2018 8:22 am
Full Name: Christoph Schulze
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by c.schulzejn »

Quote from a recent partnermail from Microsoft:
• Blocking legacy authentication will not be enforced for partners at this time. However, as most events related to compromised identities come from sign-in attempts using legacy authentication, partners are encouraged to move away from these older protocols.

Mike Resseler
Product Manager
Posts: 6122
Liked: 712 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » 1 person likes this post

Hi Christoph,

Just to be clear on this. With legacy, they mean username / password. We do support MFA with app registration, which is encouraged here. But the fact remains that we still have some legacy protocols remaining

Tarqy
Service Provider
Posts: 42
Liked: 5 times
Joined: Aug 08, 2014 1:51 pm
Full Name: Barry Knox
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Tarqy » 1 person likes this post

Do we have any update on this from Veeam/Microsoft? As mentioned earlier disabling of legacy authentication methods is being mandated for Microsoft Partners.

This is being done by enabling something they call Security Defaults (on the surface this looks like a set of free to use conditional access rules)

https://docs.microsoft.com/en-gb/azure/ ... entication

With this enabled backup no longer functions, I have seen documented workarounds that use custom conditional access policies but this would require the purchase of azure ad premium p2 licences so its not without costs.

The other thing in the linked document you may want to note is the following -

If your tenant was created on or after October 22nd, 2019, it’s possible you are experiencing the new secure-by-default behavior and already have security defaults enabled in your tenant. In an effort to protect all of our users, security defaults is being rolled out to all new tenants created.

This suggests security defaults will be coming to all tenants as a default and isn't something only being forced down the neck of Microsoft partners, albeit they would have the option to turn it off but you may see a serious uptick in support calls!
VMCE

nielsengelen
Veeam Software
Posts: 3418
Liked: 686 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen »

Barry, no real update for now but we are well aware of this point. Once we know more, it will be shared here asap.
https://foonet.be

m.novelli
Veeam ProPartner
Posts: 363
Liked: 43 times
Joined: Dec 29, 2009 12:48 pm
Full Name: Marco Novelli
Location: Asti - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by m.novelli » 1 person likes this post

Tarqy wrote:
Jan 21, 2020 5:39 pm
Do we have any update on this from Veeam/Microsoft? As mentioned earlier disabling of legacy authentication methods is being mandated for Microsoft Partners.
...

If your tenant was created on or after October 22nd, 2019, it’s possible you are experiencing the new secure-by-default behavior and already have security defaults enabled in your tenant. In an effort to protect all of our users, security defaults is being rolled out to all new tenants created.

This suggests security defaults will be coming to all tenants as a default and isn't something only being forced down the neck of Microsoft partners, albeit they would have the option to turn it off but you may see a serious uptick in support calls!
As a Microsoft Gold Partner I confirm that I have enabled "Security Default" on my Azure AD tenant , and VBO stopped working. VBO was already configured and working with Modern Authentication / MFA :-(

I get two errors:

Connect to EWS: the request failed with HTTP status 401: unauthorized
Connect to Powershell: connect to outlook.office365.com failed , access denied

Marco

Tarqy
Service Provider
Posts: 42
Liked: 5 times
Joined: Aug 08, 2014 1:51 pm
Full Name: Barry Knox
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Tarqy »

VBO365 requires legacy authentication protocols and app passwords (when using modern authentication) in order to work.

Security Defaults disables both of these and is exactly the reason I chased this up last week.
VMCE

Mike Resseler
Product Manager
Posts: 6122
Liked: 712 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by Mike Resseler » 1 person likes this post

Barry,

We are working heavily to have a solution for this. However, if we will stop using legacy authentication protocols, we will suffer from functionality. I can't give a date yet, but know that we are working on such a solution. Also, at the same time, we are working with Microsoft to see how the functionality could return (but that will be the longer route I'm afraid...)

m.novelli
Veeam ProPartner
Posts: 363
Liked: 43 times
Joined: Dec 29, 2009 12:48 pm
Full Name: Marco Novelli
Location: Asti - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by m.novelli » 1 person likes this post

Thanks Mike! Would love to have back a set of minimal functionality, it's better than nothing... actually I cant run VBO at all with new Azure Security Settings for Microsoft Partners

Marco

c.schulzejn
Enthusiast
Posts: 37
Liked: 1 time
Joined: Oct 24, 2018 8:22 am
Full Name: Christoph Schulze
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by c.schulzejn »

Tarqy wrote:
Jan 21, 2020 5:39 pm
[...]
With this enabled backup no longer functions, I have seen documented workarounds that use custom conditional access policies but this would require the purchase of azure ad premium p2 licences so its not without costs.
[...]
Are you sure about Azure AD Premium P2? I found this:
https://docs.microsoft.com/en-us/azure/ ... et-started
[...]
Azure AD Premium P1
For customers with Azure AD Premium P1 or similar licenses that include this functionality such as Enterprise Mobility + Security E3, Microsoft 365 F1, or Microsoft 365 E3:

The recommendation is to use Conditional Access policies for the best user experience.
Microsoft Silver Partner get 25 seats Enterprise Mobility Suite (E3) - regardless with competency they have. I took this information from the latest IRU file: 'License Table - Competency (November 4th 2019).docx'
AFAIK there is no Enterprise Mobility Suite (E3), only Enterprise Mobility Suite + Security (E3)

IMHO EMSS E3 would be enough!?
I did not have time evaluate the options or to search for a guide how to get VBO 365 running with Conditional Access policy along with being compliant with MS Partner.

@Tarqy do you have a guide and can publish it for us?

m.novelli
Veeam ProPartner
Posts: 363
Liked: 43 times
Joined: Dec 29, 2009 12:48 pm
Full Name: Marco Novelli
Location: Asti - Italy
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by m.novelli »

I have Office 365 E3 licenses, and enabling new Microsoft Azure Security Default broke VBO since in disable at all legacy protocols. Conditional access cant help, IMHO

Cheers, Marco

kurt
Enthusiast
Posts: 66
Liked: 2 times
Joined: Jul 07, 2010 9:03 pm
Full Name: Robert
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by kurt »

New user here, I was about to test out v4. Went through the MFA set up guide only to get stuck on this error "Check LegacyAuthProtocolsEnabled". I would rather have reduced functionality than enable legacy auth. Are there still plans to do that?

nielsengelen
Veeam Software
Posts: 3418
Liked: 686 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen »

Hi Robert, we are still looking into it as mentioned before but no update for now. We'll post here once we have more info.
https://foonet.be

KSCSIT
Lurker
Posts: 1
Liked: never
Joined: May 17, 2012 2:51 pm
Full Name: Fred Fish
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by KSCSIT »

Mike Resseler wrote:
Dec 10, 2019 10:51 am
Having a legacy user / pwd with CA based on IP/ location seems very safe.
Have to disagree with that - If you whitelist your companies IP for legacy auth (So it bypasses the MFA check) this means that if you have an internal threat that gets hold of the user/pass by whatever means, they can wipe out your 365 tenant.

It does minimise the external risks, but it's an incredibly powerful account to leave without any form of internal MFA

mats.jansson
Service Provider
Posts: 21
Liked: 5 times
Joined: Mar 18, 2014 9:13 am
Full Name: Mats

Why not modern auth on sharepoint and onedrive?

Post by mats.jansson »

Hi Veeam
I'm a bit confused. In this forum you have wrote that Microsoft have not api support for modern auth on sharepoint and onedrive.
A potential new customer (we are a service provider and offering o365 backup in our datacenter) informed us that keepit can backup o365 only using modern auth.
How is that possible?
Why is this a big issue for us, the potential new customer have 3000 o365 users and 50 TB of data!
No modern auth, no new customers.
/Mats
Mats

nielsengelen
Veeam Software
Posts: 3418
Liked: 686 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen »

Mats, not everything we offer is available via modern auth so this is a limitation of the API. I merged your post with the ongoing discussion topic where updates are posted once they are available.
https://foonet.be

mats.jansson
Service Provider
Posts: 21
Liked: 5 times
Joined: Mar 18, 2014 9:13 am
Full Name: Mats

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by mats.jansson » 1 person likes this post

Is there any roadmap when supporting modern auth all the way?
We want to keep using Weeam but we are losing this customer.
Mats

nielsengelen
Veeam Software
Posts: 3418
Liked: 686 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by nielsengelen » 1 person likes this post

The update is the same, we are fully looking into this but as Mike said, we will lose some functionality. No ETA for now.
https://foonet.be

mats.jansson
Service Provider
Posts: 21
Liked: 5 times
Joined: Mar 18, 2014 9:13 am
Full Name: Mats

Re: v3 - LegacyAuthProtocolIsEnabled still required?

Post by mats.jansson » 1 person likes this post

I totally agree with m.novelli, we are fine with only minimal functionality, just to get modern auth working all the way.
Mats

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests