Veeam Backup for Office 365: Configure Modern Authentication

Veeam Backup for Office365

Veeam Backup for Office 365 is the solution to protect your tenant where everyday many email and documents are managed to make your business. The product is now in v3 and thanks to latest improvements, we have a great level of reliability.

One of the most important news, in terms of security, is absolutely the support to Modern Authentication. Compared with standard authentication, this offers a high quality standard about protection because the trust is made in Azure Active Directory, thanks to a Secret Key, instead classic username/password. Once the application is registered, the key cannot be recovered unless you create a new application.

If all this has not convinced you, it is worth considering that Microsoft intends to drop Basic Authentication as soon as Office 2010 goes out of support and this means that all access clients to the Office 365 platform will only have to support the Modern Authentication.

In this article we’ll see how to do it within Veeam Backup for Office 365.

App Registration

The first step is to register a new application within the Azure Active Directory – figure 1 section.

Figure 1 – New Registration

Enter the name you prefer – figure 2 – leaving the option on the supported account type unchanged.

Figure 2 – Application Name

Once created, enter the Permission API section and add new permissions – figure 3.

Figure 3 – API Permission

Select the Application Permission – figure 4.

Figure 4 – Application Permission

Search for and select these permissions, without forgetting to click the Grant Admin Consent button – figure 5.

  • Directory.Read.All
  • Group.Read.All
Figure 5 – Permissions

The next step is a new Secret Key; as mentioned above, as soon as saved it will only be shown once and this causes the security level to be high.

Figure 6 – VBO App
Figure 7 – New Secret Key

NB: Remember to save this key until you set up Veeam Backup.

Once the application part is marked, it is time to create the user of access to resources – figure 8.

Figure 8 – New User

Multi Factor Authentication (MFA) should be enabled for this user to make everything fine. Is it mandatory? No, but having this user administrative permissions, activation is the minimum.

Figure 9 – MFA Activation

To protect Exchange Online, you must assign the user “Global Administrator” or “Exchange Administrator” permissions, as well as assign permissions to ApplicationImpersonation  – figure 11 – within the Exchange Control Panel – figure 10.

Figure 10 – Exchange Control Panel
Figure 11 – ApplicationImpersonation Role

To protect SharePoint Online, you must assign the user “Global Administrator” or “SharePoint Administrator” permissions.

Open an InPrivate Browser page and login with the service user, to activating the MFA part – figure 12 and 13.

Figure 12 – Login System Account
Figure 13 – MFA Enabling

As each user where is activated the MFA, an app password is released – figure 14 – that allows you to access mail resources, such as Microsoft Outlook. This password takes the place of classic one but not for standard login to Azure/Office 365 website.

Figure 14 – Password App

Veeam Configuration

With Azure AD configured, all that remains is to add a new tenant within Veeam Backup – figure 15. The difference, compared to the classic wizard, is the selection of Modern Authentication mode – figure 16.

Figure 15 – New Tenant
Figure 16 – Modern Authentication

Enter the following parameters:

  • Application ID: application code you created
  • Application Secret: the key you saved earlier
  • Username: the user created for this service
  • Password: the password app generated from MFA wizard
Figure 17 – Credential Configuration

If you have complied with the details of the article, the result will be that of figure 18.

Figure 18 – Wizard Completed

Enjoy! You can now configure your security plan however you want!

#DBS