To connect Veeam Backup for Microsoft Office 365 to the Office 365 backend, we need to configure the authentication and authorizations. Let's explore a new way to authenticate your Veeam Backup for Microsoft Office 365 added in the Update 4c.
To connect and backup the data out of the Office 365 infrastructure, Microsoft is offering multiple endpoints and APIs with all their own characteristics for the different workloads. The most important “gateway” to the Office 365 infrastructure is Microsoft Graph. Microsoft Graph exposes the REST APIs to interact with the Office 365 infrastructure, which allows Veeam Backup for Microsoft Office 365 to backup or restore data.
Next to the Microsoft Graph interface, there are still some legacy application-specific APIs in use like the Exchange Web Services (EWS) API to interact with specific components of Exchange Online which are not accessible yet within the Graph APIs.
Why legacy APIs are relevant to authentication?
We all agree that Basic Authentication consisting of username and password only is not the way forward for cloud-based services for security seasons. And specially not for backup service accounts with access to all resources. Therefore, Microsoft is offering Modern Authentication as the default authentication method for all new services. Modern Authentication in Office 365 enables authentication features like: multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern Authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0.
As a result, Veeam Backup for Microsoft Office 365 needs to access the Office 365 APIs and resources using Modern Authentication. And here comes the challenge - not all (legacy) APIs are compatible with the Modern Authentication standards and still require the Basic Authentication.
Driven by security guidelines, more and more companies are looking into disabling Basic Authentication for their Office 365 tenants. For newly-deployed Office 365 tenants it’s even the standard nowadays.
With new Update 4c we've added the support for Office 365 tenants using modern app-only authentication with disabled legacy protocols. In the new mode, VBO performs all its backup and restore operations using an Azure AD application instead of user credentials. This new mode addresses the needs of customers using Microsoft Security Defaults in their Office 365 tenant organizations.
As a result of the missing APIs, when we run Veeam Backup for Microsoft Office 365 v4c without the usage of Legacy Authentication, the following list of limitations will be applied:
- Discovery of Search and Public Folder mailboxes will not be available for backup
- Dynamic Distribution groups will not be available for backup
- OneNote restore will not be supported
- Web Part template will not be preserved upon a restore; all web parts will be restored with the default template
- Web Part backup will be limited. Only Web Parts configured to be exportable will be available for backup and restore
- Survey lists in Team Modern Sites will be restored without preserving the “allow multiple responses” setting
Measure-VBOOrganizationFullBackupSizecmdlet will not be supported.
For more on information on version 4c, view the release notes.
To learn more about Veeam’s multi-factor authentication in Office 365 read our How to get App ID, App secret and app password in Office 365 blog post.
Get started by downloading a FREE 30-day trial of Veeam Backup for Microsoft Office 365.