How to: M365 Backup & Archive Setup (Legacy MFA Authentication)

Customer's wishing to utilize Legacy Authentication can follow the steps here to get started.

This method of authentication for apps will be decommissioned as of October 2022. Probax strongly recommends utilising App-Only authentication, as per the steps in this guide

The following is a list of the details we will be running through in this guide:

  • Registering an application in Azure Active Directory
  • Obtaining the Application ID
  • Creating and obtaining a client application secret
  • Setting up a new MFA user account solely for backups
  • Assigning the required roles for the newly created user account
  1. Log into the Azure Active Directory Admin Centre, select 'Azure Active Directory' from the left hand panel and navigate to "Properties", which is shown on the left-hand panel:

    1. At the bottom of the screen, select "Manage Security defaults".
    2. Ensure that the option "No" is selected and click save if adjustments were made. 
      Editing properties
      Enable security defaults
  2. Scroll up on the left hand bar to the 'App registrations' and select New registration:
    NEW NETMAX image

  3. Insert your desired name, select the option Accounts in this organisational directory only, followed by Register.
  4. Once registered, you will need to grant your application with the required permissions. Select Overview followed by View API Permissions:
  5. Assign the Microsoft Graph Permissions
    1. Select Add a permission:
      Add a permission-1
    2. Within the wizard, select Microsoft Graph followed by Application permissions:

    3. Navigate through the permissions list, apply the permissions Directory.Read.All, TeamSettings.ReadWrite.All and Group.Read.All and Sites.Read.All as Application.
      Directory read all
      TEAMSETTINGS.READ
      gROUP READ ALL

  6. Assign the SharePoint Permission
    1. Select Add a permission:
      Add a permission-1
    2. Select SharePoint from the Wizard listed, and select application permissions
      request apis - sharepoint

    3. Navigate to the Sites.FullControl.All and User.Read.All and select those, clicking 'Add permissions' to finalise this change
      sharepoint perms
  7. Assign the Exchange Permissions
    1. Whilst signed into the Azure Portal as a Global Admin account, navigate to Azure Active Directory.
    2. Within the left-hand panel, select "App registrations", followed by selecting the M365 application for your backups.
    3. click "Add a Permission".
      Add a permission-1

    4. Navigate to the tab "APIs my organization uses".
      APIs my org uses
    5. Search for "Office 365 Exchange Online", and select "Application permissions".
      Request api permissions delegated and applicatino
    6. Within the heading "Other permissions", select the full_access_as_app permission and click "Add permissions" at the bottom of the screen.
      Full access app selection

  8. Under the option Grant consent, select “Grant admin consent for…”:
  9. Confirm that Admin consent has been granted and then select Overview:
    permission replacer

  10. Take note of the Application ID in a way that you can easily refer back to (Application ID – ExampleValue), as this is required for adding MFA to Probax Hive:
  11. In order to create an Application Secret, navigate to Certificates & Secrets followed by + New client secret.
  12. Insert the desired description and select an expiry date within the wizard, then select Add.
  13. You will notice an Application Secret Value, similar to what is shown below. It is important to take note of the Value in a way that is easier to refer back to (Application Secret – ExampleValue). Please note, there is also an ID reference that will appear beside the Value output, which is not required.
  14. Create a new user to use as the Backup Service account:

    Navigate back to the Azure Active directory admin center dashboard, select Users – All users followed by selecting New user.

    In this area, please:
    1. Assign a username for the Backup Service Admin account (probaxbackup or similar is fine)
    2. Assign a name for the user
    3. Leave the First nameLast name and Groups field unchanged
    4. Next to 'Roles', select designate Exchange Administrator and SharePoint Administrator under Directory role. This will ensure you can continue with the setup processUSER create screenshot
    5. Once confirmed, check your roles are added correctly by heading to the 'Assigned roles' tab (occasionally these roles won't assign properly during the user creation step). Hit 'Add assignments' if you do not see the Exchange administrator and SharePoint administrator roles here
      Assigned roles

  15. Enforce MFA on your new Backup Service account user
    1. In the 'All users' tab, Head to 'Multi-Factor Authentication' (may list as 'per-user MFA')
      MFA
    2. Look through your list of users and locate your Backup Service account (you may need to change the view at the top to list just 'users'). Microsoft's example in the screenshot below is 'John Smith' (look for the name as in step 14. above). Please check the box next to this account.
      find mfa-able user

    3. With the Backup Service account selected, head to the right-hand side of the screen and look for the quick steps heading. Hit 'Enable' to enable MFA on this user. find mfa-able user
    4. At this point, check that the MULTIFACTOR AUTH STATUS reads 'Enforced'. In the event it doesn't, repeat step 15.c. and hit 'Enforce' under quick steps
      Santized enfroce mfa

  16. Adding an Authentication policy:
        1. Connect to the Exchange Online Module 
          1. Firstly, open PowerShell as an administrator
          2. Install the Exchange module by running the command:
            Install-Module -Name ExchangeOnlineManagement -Force
          3. Then, import this module using this command - please select 'yes' to any questions that pop-up
            Import-Module ExchangeOnlineManagement -Force
          4. Sign in to your microsoft account, by running
            Connect-ExchangeOnline
            and enter in your details.
        2. Determine if there is a pre-existing authentication policy in place
          1. Run the command
            Get-AuthenticationPolicy
          2. If there is no output, then there is no policy in place and one will need to be created. Please follow the steps in 15-3.

            NOTE: If you receive an error in PowerShell:
            "The term Get-AuthenticationPolicy" is not recognised"
            Please doublecheck you have enabled the Sharepoint and Exchange admin roles for your new user as in step 14-d

          3. If there is already a policy in place,  you will need to ensure that "true" is listed for "AllowBasicAuthPowershell" and "AllowBasicAuthWebService". If it is not, it will need to be adjusted using this Microsoft Article as a guide. Once done, you will need to assign he policy to your Backup service account as in step 3-c bellow
        3. The following is an example of the commands you can use to create an authentication policy and apply the required adjustments. 
          1. To create the authentication policy, run the following command in the opened PowerShell window:
            New-AuthenticationPolicy -Name "Allow Basic Auth"
          2. To enable AllowBasicAuthPowershell and AllowBasicAuthWebService in the new authentication policy run the commands:
            Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthPowershell
            Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthWebService
            Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthAutodiscover
          3. To assign this policy to the backup service account, run the command:
            Set-User -Identity <UserIdentity> -AuthenticationPolicy "Allow Basic Auth"
            Note: Replace <UserIdentity> with the Backup service account name (remove the <>)
  17. Still in the Exchange Online Module, ensure that the Application role is assigned to the Backup Service account
    1. Apply the roll using the following command in Powershell - Remember to substitute <BackupServiceAccount> with your Account name (remove the <>) :
      New-ManagementRoleAssignment -Role ApplicationImpersonation -User <BackupServiceAccount>
    2. Check this roll has been applied using this command
      Get-ManagementRoleAssignment -Role "ApplicationImpersonation"
  18. Back to your Exchange Admin Center, navigate to the 'Roles' tab, selecting 'Admin Roles'. Select 'Add role group'.
    add role group

  19. Give this role group a name (we recommend ProbaxBackupRole), or anything to help your team identify it's use).
    SETUP

  20. The next screen allows you to set permissions for your new role group. Please navigate to the following permissions as per Veeam's KB:
    1. Application Impersonation
    2. Organisation Configuration
    3. Mailbox Search (Can appear as Mail Recipients)
    4. Role Management
    5. View-Only Configuration
    6. View-Only Recipients

  21. Then, select your M365 user (that you created in step 14).
    admins
  22. Finally, to obtain the App Password, sign into the newly created account in Microsoft 365, and follow the prompts to create an app password (this will appear as one of the 'methods' given.


Customers unable to see the option to set up an app password must revisit steps 14/15, to ensure that MFA is ENFORCED (rather than ENABLED or DISABLED)

    At this point, it's essential we check some (normally) default settings to ensure these don't hold the organisation going through. The following is a setting that still applies to MFA-Organisations, despite the nomenclature by Microsoft.

      Applications that don't use MFA

      Head to the SharePoint Online admin centre:

      1. Select the "Policies" dropdown menu
      2. Click "Access Control"
      3. Select the heading "Apps that don't use modern authentication".
      4. Ensure that that the option "Allow" is selected and
      5. click "Save" if any adjustments were made.

      Access Controlls to allow cropped
      Access Controlls to allow cropped step 5

      Legacy authentication is being decommissioned - please review this article to ensure your organisation isn't in this process already
      https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210

      Changes to permissions or roles within Microsoft may take some time to process fully, and be readable by Veeam. Please allow 1 hour for this to complete, and proceed with the link to Hive. 

      Linking your organisation account on Hive

      1. Log into Probax Hive.
      2. Within the right-hand panel, select the Accounts tab and navigate to the desired account. (In the event you do not yet have an account for your organisation, simply select Create New Account near the upper-right section of the site).
      3. Select the option Manage Storage Spaces at the upper-right corner of the site within the Resources tab.
      4. Select the option Add New Storage Space.
      5. Navigate to the Microsoft 365 section and fill in the required details.
      6. Once the account has been successfully added, your organisation will appear similar to what is shown below.

       

      For customers that receiving an alert referring to a '401' error when trying to add their M365 organisation into Hive, please visit our '401 troubleshooting' KB article, which will guide you through essential steps to push the organisation through.

      Congratulations! Your M365 backup job has now been created, and you are ready to begin configuring this organisation's job. Head to this knowledge base article for more information on how to begin adding users and changing your settings.