VBO365 - Disable Basic Auth in M365 per Oct. 1, 2022


Userlevel 7
Badge +4

Microsoft has announced, that they are disabling basic auth on October 1st, 2022 for all tenants. It doesn‘t matter if you use it now or not. It gets disabled after October 1st, 2022.

 

From the announcement post:

Today, we are announcing that, effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage (with the exception of SMTP Auth, which can still be re-enabled after that).

Source: https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210

 

How is this relevant to our Veeam Backup Office 365 Installations?

Today, Veeam can backup Office 365 data without basic auth (modern Auth Only).

But this has some limitations. You can find them in this post:

https://www.veeam.com/kb3146

As soon basic auth is disabled from Microsoft, vbo servers with organizations and „modern authentification with legacy protocols“ or „basic authentication method“, backup jobs will most likely stop working.

 

What can be done from us administrators?

Everyone should be ready for this change when it happens. Perhaps, veeam will write a kb until next year to inform customers what can be done for vbo365.

For me, I think we will change to modern auth only and inform our customers about the new limitations. We will decide next summer when it gets clearer, what needs to be done. Security is more important than most of the missing features.

 

What other Third Party Software could be affected?

I have seen old software with POP3 Integration which are using POP3 with Basic Auth. They need to be checked if they can work with Modern Auth.

Software, which uses the EWS API from Microsoft needs also to be able to use Modern Auth. There are many software on the market with calendar integration which are connecting only with Basic Auth, to get the users calendars data.

SMTP will not be affected as written in the Microsoft Announcement Post.


———————————-

I am looking forward to October 2022 and what doesn‘t work after that. 😬😅

 

 

 


27 comments

Userlevel 7
Badge +7

In general a good thing, I think.

And probably Veeam will publish a solution for this until October 2022….

Userlevel 7
Badge +4

And probably Veeam will publish a solution for this until October 2022….

If they can :)

The Graph API doesn‘t expose everything.

And if I correctly understand the situation, there are many missing APIs „for using modern auth only“, which veeam needs for the backup and restore. 
 

we will see :)

Userlevel 7
Badge +5

Thx for posting this @Mildur ! Modern authentication is the way. I use this by default for all installation, except modern authentication with legacy protocols if the customer is still using public folders :-( 

Userlevel 7
Badge +4

Your welcome.

For me, it‘s „modern authentication with legacy protocols“ until now. 
Public folder will be the most missed feature from the limitation list. Or the restore of the OneNote data.

Hopefully Microsoft will build an API with modern Auth for veeam to leverage.

Userlevel 7
Badge +8

Yeah moving to MFA is the way to go now.  Nice to see this article.

Userlevel 7
Badge +6

Thanks for posting this is information @Mildur. I'm sure we'll see many changes, both from Microsoft and Veeam, till the end of basic auth.

Hi All, as we can only currently use Dynamic groups via Basic auth, Will Veeam plan to implement a solution to allow Dynamic groups to work via modern auth. This would great.

Userlevel 7
Badge +4

Hi All, as we can only currently use Dynamic groups via Basic auth, Will Veeam plan to implement a solution to allow Dynamic groups to work via modern auth. This would great.

@SpikeNZ 
We have to wait a few months to see what can be done.

It‘s to early to say. I will update this topic if I hear anything new from Veeam :)

Userlevel 7
Badge +5

Brace yourselves, new Microsoft vulnerability is coming...

Userlevel 7
Badge +8

This will be an interesting situation to watch, Microsoft have looked at charging for certain API accesses  historically (and backed down every time).

 

Part of me worries that once we lose alternatives such as basic access, we are giving Microsoft more leverage to take a “like it or lump it” approach and start charging for certain Graph APIs or above certain usage rates. (Understandably, they are a .com after all).

 

It tooks ages to get the Microsoft Teams Graph APIs but hopefully we’ll see the shortfalls addressed in v6 and subsequent updates as Veeam work with Microsoft to reduce the feature disparity between Basic & Modern auth.

It’s 2021 and I have to suggest to customers to use Basic Auth as the “holy grail” of Modern Auth is too limited to be a replacement for some.

Userlevel 7
Badge +4

Good thoughts, @MicoolPaul 

If there will be API Costs for that, it will get more difficult to sell it to the customers. 

Userlevel 7
Badge +8

This will be an interesting situation to watch, Microsoft have looked at charging for certain API accesses  historically (and backed down every time).

 

Part of me worries that once we lose alternatives such as basic access, we are giving Microsoft more leverage to take a “like it or lump it” approach and start charging for certain Graph APIs or above certain usage rates. (Understandably, they are a .com after all).

 

It tooks ages to get the Microsoft Teams Graph APIs but hopefully we’ll see the shortfalls addressed in v6 and subsequent updates as Veeam work with Microsoft to reduce the feature disparity between Basic & Modern auth.

It’s 2021 and I have to suggest to customers to use Basic Auth as the “holy grail” of Modern Auth is too limited to be a replacement for some.

This will be interesting for sure as O365 is a big seller for us.  Let's see what happens.

We are using modern authentification with legacy protocols because of public folders, it’s now less than 6 months until the deadline, and I haven’t found statements from Veeam yet except here in the forum. Meanwhile Microsoft regularly dends updates to administrators saying Basic auth will be disabled from october.

 

Does anyone have an insight on how to back up public folders in the future? Is veeam working on something? Is Microsoft working on something?

Userlevel 7
Badge +8

We are using modern authentification with legacy protocols because of public folders, it’s now less than 6 months until the deadline, and I haven’t found statements from Veeam yet except here in the forum. Meanwhile Microsoft regularly dends updates to administrators saying Basic auth will be disabled from october.

 

Does anyone have an insight on how to back up public folders in the future? Is veeam working on something? Is Microsoft working on something?

Hi, the R&D forums will be the best place to ask this question as there’s more engagement from Veeam engineers there. The lack of feature parity between modern & basic auth has historically been due to Microsoft not exposing APIs to handle this via the graph API, hence with basic auth, Veeam interact with EWS if I remember correctly, to work around this limitation.

Userlevel 7
Badge +6

@SOLUTIONS Unfortunately I haven’t read or heard any positive news about this topic. Veeam is still working on this together with Microsoft and we can only hope that something will change this October.

 

Userlevel 7
Badge +7

@Mildur , this is not a Veeam Backup Office 365 question, but will there be a solution for VBR Mail notification with a Office 365 mail server? As far as I understood, this is at the moment just possible with legacy authentication. I discussed this with a colleague today. I wasn’t aware of this topic. 

Userlevel 7
Badge +4

@vNote42

We plan to support OAuth in V12. For VB365, the team is also planning to include it :)

https://forums.veeam.com/post450210.html#p450210

Userlevel 7
Badge +7

@vNote42

We plan to support OAuth in V12. For VB365, the team is planning to include it :)

https://forums.veeam.com/post450210.html#p450210

Thanks for the fast answer, Fabian!!

What do I need to do to move away from Basic Auth? Do I need to buy Azure in order for Backup 365 to work as it is at the moment?

Userlevel 7
Badge +4

What do I need to do to move away from Basic Auth? Do I need to buy Azure in order for Backup 365 to work as it is at the moment?

 

@Glenn_LSTS 

SMTP Authentication or doing Backups?

 

For SMTP Notifications, wait for the next release of VB365. Modern Auth SMTP Auth will be possible then.

For Backups, just switch the authentication in VB365 to Modern App Only:

Adding Organizations with Modern App-Only Authentication - Veeam Backup for Microsoft 365 Guide

You will loose some features, check the KB for that first:

KB3146: Considerations and limitations when using different authentication methods (veeam.com)

 

If you are using Public Folder, then either wait with disabling Basic Auth until microsoft and veeam can provide a solution or migrate them to Shared Mailboxes (my prefered way :))

 

Userlevel 7
Badge +7

@vNote42

We plan to support OAuth in V12. For VB365, the team is planning to include it :)

https://forums.veeam.com/post450210.html#p450210

Thanks for the fast answer, Fabian!!

And so it looks like:

 

What do I need to do to move away from Basic Auth? Do I need to buy Azure in order for Backup 365 to work as it is at the moment?

 

@Glenn_LSTS

SMTP Authentication or doing Backups?

 

For SMTP Notifications, wait for the next release of VB365. Modern Auth SMTP Auth will be possible then.

For Backups, just switch the authentication in VB365 to Modern App Only:

Adding Organizations with Modern App-Only Authentication - Veeam Backup for Microsoft 365 Guide

You will loose some features, check the KB for that first:

KB3146: Considerations and limitations when using different authentication methods (veeam.com)

 

If you are using Public Folder, then either wait with disabling Basic Auth until microsoft and veeam can provide a solution or migrate them to Shared Mailboxes (my prefered way :))

 

Thanks for taking the time to reply.

We only use Veeam to backup our sharepoint subscription / emails / onedrive to local storage. I don’t believe we use smtp for anything.

So, we don’t need a Azure subscription? within the Desktop Application settings, Modern Auth seems to want me to plug in some Azure credentials.

As for features, we just need the ability to restore!

Userlevel 7
Badge +4

So, we don’t need a Azure subscription? within the Desktop Application settings, Modern Auth seems to want me to plug in some Azure credentials.

As for features, we just need the ability to restore!

 

You need to provide credentials (global Admin) to configure the app registration.

They won’t be used for backup after the configuration.

Hi,

 

I upgraded Veeam O365 from v5. to the latest version 6.1.0254 last week. And now i got the assignment to make sure we are on Modern Authentication or if not, make a change with the steps to get there.

 

I know i created a new App Registration with Microsoft Graph User.Read rights during the upgrade of Veeam.

I also noticed in the Sign-in Logs in Azure AD we still get Legacy Authentication Clients logins from Veeam. They are comming from the Veeam Auxiliary accounts we are using for spreading the load (i have been told).

2 Questions:

What should i do? Or where can i find how to do this?

How can i make us Modern Authentication-proof? And please some steps from the point of using Veeam o365 already and not from a new Veeam o365 installation

Userlevel 7
Badge +8

Hi,

 

I upgraded Veeam O365 from v5. to the latest version 6.1.0254 last week. And now i got the assignment to make sure we are on Modern Authentication or if not, make a change with the steps to get there.

 

I know i created a new App Registration with Microsoft Graph User.Read rights during the upgrade of Veeam.

I also noticed in the Sign-in Logs in Azure AD we still get Legacy Authentication Clients logins from Veeam. They are comming from the Veeam Auxiliary accounts we are using for spreading the load (i have been told).

2 Questions:

What should i do? Or where can i find how to do this?

How can i make us Modern Authentication-proof? And please some steps from the point of using Veeam o365 already and not from a new Veeam o365 installation

If you check the help here - Adding Organizations with Modern App-Only Authentication - Veeam Backup for Microsoft 365 Guide

This outlines adding Modern Auth to a new tenant but all you need to do is edit your existing Tenant(s) and change the authentication method.  Hopefully this helps.

Comment