I’m in the process of implementing Microsoft recommendations for Office 365 partners, specifically the four Azure AD Conditional Access baseline policies:
After enabling those policies and setting up 2FA on all admin users, I found that my Veeam O365 backups started failing with authentication errors.
I needed to install Veeam Backup for Office 365 (VBO) on a new machine anyway. I used version 18.104.22.1682. I found a very helpful blog post and a slightly different KB article about how to set up VBO to use “modern authentication.“ There is even a choice for Modern authentication in the setup wizard:
However, after carefully following the instructions, Veeam was still unable to connect:
Eventually, I realized that what Veeam calls modern authentication might be using legacy authentication. I’ve used other apps where, after enabling 2FA, you must use a 2FA App password because the app only supports basic, or legacy, authentication. Sure enough, after disabling the Baseline policy: Block legacy authentication in Azure AD, Veeam setup was able to complete:
The very fact that it prompts for an app password is a clue—in my experience e.g. with Microsoft Outlook 2016, modern authentication prompts for the username, “regular” password, and 2FA token from my authentication app, then it stores the authentication on the computer. There is no need for an app password.
Migrating completely away from legacy authentication is a major step and no doubt complex to implement. I’ve asked Veeam Support if VBO will continue to require legacy authentication.
Update July 8, 2019
Veeam Support has confirmed that legacy (basic) authentication is still required for some aspects of its API calls. That means you can’t disable it with an Office 365 baseline policy, but you can disable legay authentication for accounts other than the one you use for Veeam. The details are actually in the first blog post I cited above; I just hadn’t read the “fine print,” which I’ve reformatted here:
Can I disable all basic authentication protocols in my Office 365 organization?
While Veeam Backup for Microsoft Office 365 v3 fully supports modern authentication, it has to fill in the existing gaps in Office 365 API support by utilizing a few basic authentication protocols.
- First, for Exchange Online PowerShell, the AllowBasicAuthPowershell protocol must be enabled for your Veeam service account in order to get the correct information on licensed users, users’ mailboxes, and so on. Note that it can be applied on a per-user basis and you don’t need to enable it for your entire organization but for Veeam accounts only, thus minimizing the footprint for a possible security breach.
- Another Exchange Online PowerShell authentication protocol you need to pay attention to is the AllowBasicAuthWebServices. You can disable it within your Office 365 organization for all users — Veeam Backup for Microsoft Office 365 can make do without it. Note though, that in this case, you will need to use application certificate instead of application secret when adding your organization to Veeam Backup for Microsoft Office 365.
- And last but not the least, to be able to protect text, images, files, video, dynamic content and more added to your SharePoint Online modern site pages, Veeam Backup for Microsoft Office 365 requires LegacyAuthProtocolsEnabled to be set to $True. This basic authentication protocol takes effect for all your SharePoint Online organization, but it is required to work with certain specific services, such as ASMX.
Update February 22, 2020
Effective February 29, 2020, Microsoft is eliminating the “beta” baseline policies. The only free option remaining is the all-or-nothing Security Defaults. Once those are enabled, legacy auth is disabled and Veeam Backup for O365 is no longer able to authenticate.
Microsoft does allow you to buy Azure AD Premium P1 for $6/user/month and then configure more granular Conditional Access Policies, which could be used to re-enable legacy auth for a specific account. Whether that is a good idea is a subject of some debate. Note that AD Premium P1 is also included in Enterprise Mobility Suite E3.
Veeam is aware of the issue and there is a fairly active discussion in this thread: