Mailbox errors: The HTTP request was forbidden with client authentication scheme 'Anonymous'.

[Polina]

The official deadline from Microsoft is July 1 2026. Until that time, please follow recommendations provided in KB4796.

Thanks

[DaStivi]

but this is also no one-time fix! as i've wrote in my posts before... my best guess is right now, when users license changes from kiosk to Ex the ews get's "nulled" and then produce errors in the backup...

the earlier we can get a GraphAPI-EXO Backup version the better!!

[Polina]

Hi Stephan,

If you get Graph API backup today, you won't be able to protect group, resource and archive mailboxes anymore as well as face a few other changes in the behavior compared to the current state of the backup you are used to.

First, we'll address the issue for limited license mailboxes. All the rest will come later. Hopefully at least some of the current limitations will be resolved/addressed by that time.

Thanks.

[hans.ovli]

What do we do as a workaround to this issue when customer has disabled EWS both on organization level and user level based on their risk policy?
https://www.veeam.com/kb4796 will not solve that, and on the support side when i tried to create a ticket for it, they state:
The issue “The HTTP request was forbidden with client authentication scheme ‘Anonymous’” is currently being jointly investigated by Veeam and Microsoft. For proactive updates, please refer to KB4796.

When is this going to be fixed, it has been like this for quite a while and last update in kb is a month ago. I have a customer with this error on hundreds of mailboxes.
Is this an error causing backup not to be taken or is this an errormessage we can safely ignore as noise?

[Polina]

Hi Hans,

Today, if EWS is disabled, backups cannot be performed, and there's no workaround for that.

Veeam is now working on transitioning from EWS to Graph APIs for Exchange backup. You can see more details in my post above.

[Mildur]

Hi all,

As Polina shared, we are working on the transition from EWS to Microsoft Graph API and plan to release the new Veeam Backup for Microsoft 365 version in time to support Microsoft Graph API for <F- and Kiosk-licensed mailboxes>.

Today, we want to provide the list of additional required permissions for the backup application in Microsoft Entra ID so you can prepare before the update is released. This may be helpful for service providers that need to contact their customers to arrange these additional permissions.

Disclaimer: This list reflects the current development state and is expected to be final for the upcoming release. However, it may still change before release if additional Microsoft Graph API permissions are required. Please double-check the Release Notes or User Guide after GA.

Code: Select all

+------------------------------+------------------------------------+--------+---------+
| Permission                   | Permission Type                    | Backup | Restore |
+------------------------------+------------------------------------+--------+---------+
| User.ReadBasic.All           | Application                        |   x    |    x    |
| User.ReadBasic.All           | Delegated (work or school account) |        |    x    |
| MailboxItem.ImportExport.All | Application                        |   x    |    x    |
| MailboxItem.ImportExport     | Delegated (work or school account) |        |    x    |
| MailboxFolder.Read.All       | Application                        |   x    |         |
| MailboxItem.Read.All         | Application                        |   x    |         |
| MailboxItem.Read             | Delegated (work or school account) |        |    x    |
| MailboxFolder.ReadWrite.All  | Application                        |        |    x    |
| MailboxFolder.ReadWrite      | Delegated (work or school account) |        |    x    |
+------------------------------+------------------------------------+--------+---------+

Best regards,
Fabian

[hans.ovli]

Thx for answering out here Polina and Mildur!
I need to reach out to my customer to ask them to enable EWS again, but i am having trouble to see the actual consequence.
Since the exchange explorer shows data can be restored and restore points seems ok, what is not being backed up here since Veeam displays it as error?

[Mildur]

Hi Hans,

If you see the error documented in KB 4796, then specific mailboxes should not have been protected during that job session.
I recommend to enable it to be sure that all mailboxes are protected.

Best,
Fabian

[Polina]

Hi All,

Please note, that the list of required permissions was updated

Code: Select all

-------------------------------------------------------
Backup and Restore
-------------------------------------------------------
User.Read.All (Application)
MailboxItem.ImportExport.All (Application)
MailboxItem.Read.All (Application)
MailboxFolder.ReadWrite.All (Application)

-------------------------------------------------------
Restore
-------------------------------------------------------
User.Read.All (Delegated)
MailboxItem.ImportExport (Delegated)
MailboxItem.Read (Delegated)
MailboxFolder.ReadWrite (Delegated)

[FJGyCKCx4d]

Hi

After the update that move the api call to graph. the old one will still work on veeam ?
Like can I update directly to new version with the graph api call when the update is out, and old organisation will still use EWS until we update the required permission ?
Or BackupJob will keep failing until we add the permission/re-add organisation

Adrien

[Polina]

Hi Adrien,

Once the newer VB365 is out and until July 1st, everything will be protected as it used to giving you time to update permissions.
If permissions are not granted by July 1st, Kiosk/F1/F3 mailboxes will start failing. All other mailboxes will be protected as usual.

We highly recommend to take action in advance and start assigning app registrations with the above permissions already today even if you're not protecting Kiosk/F1/F3 - this effort will be needed anyway because of the upcoming EWS deprecation.

[tm67]

Hi Polina
How "final" are those additional permissions?
For us service providers, it would be great to have an official KB article that describes the change and the additional permissions required so we can send it out to the customers together with some instructions on how to configure the app registration.
Thanks
Timo

[Polina]

Hi Timo,

I consider them as final. An update to the KB is in progress.

[ian0x0r]

Hey Polina,

Is it likely to be a V8.5 update that will encompass the additional permissions required in the Entra Enterprise App registration when creating or updating?

Thanks,

Ian

[Polina]

Hi Ian,

Yes, it's planned as an 8.5 update.

[edh]

Wait... again revalidate all tenants permisions??

[Polina]

Permissions update is required each time new APIs are used/added ¯\_(ツ)_/¯

[FJGyCKCx4d]

Hi Timo,

I consider them as final. An update to the KB is in progress.

Hello

Have a date when this kb will be out ?
I want to directly link our customer to the kb so they can change the permission directly

[tm67]

Have a look here: https://www.veeam.com/kb4820
The permissions are listed