To communicate with SharePoint online Veeam Backup for Microsoft 365 uses Microsoft CSOM library. When the CSOM library receives an authorization request, it attempts to reach msoid.onmicrosoft.com and msoid.<your-organization-domain>.onmicrosoft.com. Most internet service providers cannot resolve those names, and the CSOM library will quietly ignore those sites being unreachable. However, this only works if the library receives an HTTP error code (e.g., 404, 500, 503, etc.).
The error message occurs when an ISP redirects unresolved DNS calls to their DNS helper page, returning a status code 200 OK. When that happens, the library attempts to authenticate through this “helper” page, which fails with the error “For security reasons DTD is prohibited in this XML document.” or “Identity Client Runtime Library (IDCRL) could not look up the realm information for federated sign-in.”