NOTE: This blog post was last updated 17/03/20
Starting from the recently released version 3, Veeam Backup for Microsoft Office 365 allows for retrieving your cloud data in a more secure way by leveraging modern authentication. For backup and restores, you can now use service accounts enabled for multi-factor authentication (MFA). In this article, you will learn how it works and how to set up things quickly.
UPDATE: With new Update 4c we’ve added the support for Office 365 tenants using modern app-only authentication with disabled legacy protocols. In the new mode, VBO performs all its backup and restore operations using an Azure AD application instead of user credentials. This new mode addresses the needs of customers using Microsoft Security Defaults in their Office 365 tenant organizations. Learn more about the Update 4c in this blog.
How does Multi-Factor Authentication in Office 365 work?
For modern authentication in Office 365, Veeam Backup for Microsoft Office 365 leverages two different accounts: an Azure Active Directory custom application and a service account enabled for MFA. An application, which you must register in your Azure Active Directory portal in advance, will allow Veeam Backup for Microsoft Office 365 to access Microsoft Graph API and retrieve your Microsoft Office 365 organizations’ data. A service account will be used to connect to EWS and PowerShell services. Correspondingly, when adding an organization to the Veeam Backup for Microsoft Office 365 scope, you will need to provide two sets of credentials: your Azure Active Directory application ID with either an application secret or application certificate and your services account name with its app password:
Can I disable all basic authentication protocols in my Office 365 organization?
While Veeam Backup for Microsoft Office 365 v3 fully supports modern authentication, it has to fill in the existing gaps in Office 365 API support by utilizing a few basic authentication protocols. First, for Exchange Online PowerShell, the AllowBasicAuthPowershell protocol must be enabled for your Veeam service account in order to get the correct information on licensed users, users’ mailboxes, and so on. Note that it can be applied on a per-user basis and you don’t need to enable it for your entire organization but for Veeam accounts only, thus minimizing the footprint for a possible security breach. Another Exchange Online PowerShell authentication protocol you need to pay attention to is the AllowBasicAuthWebServices. You can disable it within your Office 365 organization for all users — Veeam Backup for Microsoft Office 365 can make do without it. Note though, that in this case, you will need to use application certificate instead of application secret when adding your organization to Veeam Backup for Microsoft Office 365. And last but not the least, to be able to protect text, images, files, video, dynamic content and more added to your SharePoint Online modern site pages, Veeam Backup for Microsoft Office 365 requires LegacyAuthProtocolsEnabled to be set to $True. This basic authentication protocol takes effect for all your SharePoint Online organization, but it is required to work with certain specific services, such as ASMX.
How can I get my application ID, application secret and application certificate?
Application credentials, such as an application ID, application secret and application certificate, become available on the Office 365 Azure Active Directory portal upon registering a new application in the Azure Active Directory. To register a new application, sign into the Microsoft 365 Admin Center with your Global Administrator, Application Administrator or Cloud Application Administrator account and go to the Azure Active Directory admin center. Select New registration under the App registrations section:
Add the app name and select the Accounts in this organizational directory only as the supported account type. Application redirect URI is optional, you can leave it blank on this step. Click Register:
Your application ID is now available in the app overview, but there’re a few more steps to take to complete your app configuration. Next, you need to grant your new application the required API permissions. Select View API Permissions:
By default, your new application is granted with one delegated permission for Microsoft Graph – User.Read. It is not required for Veeam Backup for Microsoft Office 365, and can be removed if you like. Click Add a permission:
Select Microsoft Graph from the list of commonly used Microsoft APIs:
Azure AD applications can have either Delegated or Application permissions. Delegated permissions require a signed-in user present who consents to the permissions every time an API call is sent, while Application permissions are consented by an administrator once granted. Veeam Backup for Microsoft Office 365 acts as a service and requires Application permissions. Select Directory.Read.All (Read directory data) and Group.Read.All (Read all groups) from the list of available permissions, and click Add permissions:
Note that if you want to use an application certificate instead of an application secret, you must additionally select the following API and corresponding permissions when registering a new application:
- Microsoft Exchange Online API access with Use Exchange Web Services with full access to all mailboxes’ permissions
- Microsoft SharePoint Online API access with Have full control of all site collections permissions
To complete granting permissions, you need to grant administrator consent. Click Grant admin consent for <tenant name>. Click Yes to confirm granting permissions:
Now your app is all set and you can generate an application secret and/or application certificate. Both are managed on the same page. Select your app from the list in the App registrations section, click Certificates & secrets and select New client secret to create a new application secret or select Upload certificate to add a new application certificate:
For application secret, you will need to add a secret description and its expiration period. Once it’s created, copy its value as it won’t be displayed again:
How can I get my app password?
If you already have a user account enabled for Multi-Factor Authentication for Office 365 and granted with all the roles and permissions required by Veeam Backup for Microsoft Office 365, you can create a new app password the following way:
- Sign into Office 365 with this account and pass additional security verification. Go to user’s settings and click Your app settings:
- You will be redirected to https://portal.office.com/account, where you need to navigate to Security & privacy and select Create and manage app passwords:
- Create a new app password and copy it as it won’t be displayed again. Note that you can create a new unique app password for each application and when needed.
Now you have all the credentials to start protecting your Office 365 data. When adding an Office 365 organization to the Veeam Backup for Microsoft Office 365 scope, make sure you select the correct deployment type (which is ‘Microsoft Office 365’) and the correct authentication method (which in our case is Modern authentication). Keep in mind that with v3, you can choose to use the same or different credentials for Exchange Online and SharePoint Online (together with OneDrive for Business). If you want to use separate custom applications for Exchange Online and SharePoint Online, don’t forget to register both in advance in a similar way as described in this article.