Starting from the recently released version 3, Veeam Backup for Microsoft Office 365 allows for retrieving your cloud data in a more secure way by leveraging modern authentication. For backup and restores, you can now use service accounts enabled for multi-factor authentication (MFA). In this article, you will learn how it works and how to set up things quickly.
How does it work?
For modern authentication in Office 365, Veeam Backup for Microsoft Office 365 leverages two different accounts: an Azure Active Directory custom application and a service account enabled for MFA. An application, which you must register in your Azure Active Directory portal in advance, will allow Veeam Backup for Microsoft Office 365 to access Microsoft Graph API and retrieve your Microsoft Office 365 organizations’ data. A service account will be used to connect to EWS and PowerShell services.
Correspondingly, when adding an organization to the Veeam Backup for Microsoft Office 365 scope, you will need to provide two sets of credentials: your Azure Active Directory application ID with either an application secret or application certificate and your services account name with its app password:
Can I disable all basic authentication protocols in my Office 365 organization?
While Veeam Backup for Microsoft Office 365 v3 fully supports modern authentication, it has to fill in the existing gaps in Office 365 API support by utilizing a few basic authentication protocols.
First, for Exchange Online PowerShell, the AllowBasicAuthPowershell protocol must be enabled for your Veeam service account in order to get the correct information on licensed users, users’ mailboxes, and so on. Note that it can be applied on a per-user basis and you don’t need to enable it for your entire organization but for Veeam accounts only, thus minimizing the footprint for a possible security breach.
Another Exchange Online PowerShell authentication protocol you need to pay attention to is the AllowBasicAuthWebServices. You can disable it within your Office 365 organization for all users — Veeam Backup for Microsoft Office 365 can make do without it. Note though, that in this case, you will need to use application certificate instead of application secret when adding your organization to Veeam Backup for Microsoft Office 365.
And last but not the least, to be able to protect text, images, files, video, dynamic content and more added to your SharePoint Online modern site pages, Veeam Backup for Microsoft Office 365 requires LegacyAuthProtocolsEnabled to be set to $True. This basic authentication protocol takes effect for all your SharePoint Online organization, but it is required to work with certain specific services, such as ASMX.
How can I get my application ID, application secret and application certificate?
Application credentials, such as an application ID, application secret and application certificate, become available on the Office 365 Azure Active Directory portal upon registering a new application in the Azure Active Directory.
To register a new application, sign into the Microsoft 365 Admin Center with your Global Administrator, Application Administrator or Cloud Application Administrator account and go to the Azure Active Directory admin center. Select New application registration under the App registrations section:
Add the app name, select Web app/API application type, add a sign-on URL (this can be any custom URL) and click Create:
Your application ID is now available in the app settings, but there’re a few more steps to take to complete your app configuration. Next, you need to grant your new application the required permissions. Select Settings on the application’s main registration page, go to the Required permissions and click Add:
In the Select an API section, select Microsoft Graph:
Then click Select permissions and select Read all groups and Read directory data:
Note that if you want to use application certificate instead of application secret, you must additionally select the following API and corresponding permissions when registering a new application:
- Microsoft Exchange Online API access with Use Exchange Web Services with full access to all mailboxes‘ permissions
- Microsoft SharePoint Online API access with Have full control of all site collections permissions
To complete granting permissions, you need to grant administrator consent. Select your new app from the list in the App registrations (Preview) section, go to API Permissions and click Grant admin consent for <tenant name>. Click Yes to confirm granting permissions:
Now your app is all set and you can generate an application secret and/or application certificate. Both are managed on the same page. Select your app from the list in the App registrations (Preview) section, click Certificates & secrets and select New client secret to create a new application secret or select Upload certificate to add a new application certificate:
For application secret, you will need to add secret description and its expiration period. Once it’s created, copy its value, for example, to Notepad, as it won’t be displayed again:
How can I get my app password?
If you already have a user account enabled for MFA for Office 365 and granted with all the roles and permissions required by Veeam Backup for Microsoft Office 365, you can create a new app password the following way:
- Sign into the Office 365 with this account and pass additional security verification. Go to user’s settings and click Your app settings:
- You will be redirected to https://portal.office.com/account, where you need to navigate to Security & privacy and select Create and manage app passwords:
- Create a new app password and copy it, for example, to Notepad. Note that the same app password can be used for multiple apps or a new unique app password can be created for each app.
Now you have all the credentials to start protecting your Office 365 data. When adding an Office 365 organization to the Veeam Backup for Microsoft Office 365 scope, make sure you select the correct deployment type (which is ‘Microsoft Office 365’) and the correct authentication method (which in our case is Modern authentication). Keep in mind that with v3, you can choose to use the same or different credentials for Exchange Online and SharePoint Online (together with OneDrive for Business). If you want to use separate custom applications for Exchange Online and SharePoint Online, don’t forget to register both in advance in a similar way as described in this article.
GD Star Rating
How to get App ID, App secret and app password in Office 365,