Veeam Backup for Office 365 now offers support for the Baseline Policy ‘Require MFA for Admins’

Veeam Backup for Microsoft Office 365

Today’s release of version 3.0.0.422 of Veeam Backup for Office 365 (VBO) offers many new features and benefits, but none as significant as the ability to use multi-factor authentication for the admin account when configuring and reconfiguring VBO.

Let me explain why.  

    

Azure AD Privileged access, today

Microsoft is working hard to further harden Azure Active Directory tenants, so the roughly 18 million organization depending on it, don’t get disappointed by Azure AD-based security breaches and don’t have to worry about attacks on their infrastructure.

One of the newest technologies Microsoft is developing is Baseline Policies. Using baseline policies, fields of attention will be addressed automatically and continually. The first baseline policy, which is now in public preview, is the Baseline Policy: Require MFA for admins.

Currently, this baseline policy is in public preview and non-enforced. However, Microsoft is planning to turn this baseline policy on, automatically, in the near future.

       

About the Baseline Policy: Require MFA for admins (Preview)

The Baseline Policy: Require MFA for admins (Preview) in Azure AD requires multi-factor authentication for the following directory roles:

  • Global administrators (also known as Company administrators)
    This role permits access to all administrative features across Azure AD and Office 365. This is the most powerful role.
  • SharePoint administrators
    This role permits access to the SharePoint online admin center. This includes the ability to create, delete, and assign permissions to site collections and manage OneDrive for Business.
  • Exchange administrators
    This role permits management of Exchange Online. This includes the ability to grant Send As and Send on Behalf permissions to users for other user’s mailboxes.
  • Conditional Access administrators
    This role grants the ability to manage Azure Active Directory conditional access settings. To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be a Global Administrator.
  • Security administrators
    This role grants the ability to read security and audit information, and to manage the Privileged Identity Management service and the Identity Protection Center (requires Azure AD Premium P2).

These roles have a high potential to be misused. To verify the authentication for users with these roles within your tenant, additional authentication is required in the form of Azure Multi-Factor Authentication (Azure MFA)

    

Veeam Backup for Office 365 and the Baseline Policy

Veeam Backup for Office 365 version 2 requires a service account with the SharePoint administrators role. This service account is impacted by the Baseline Policy: Require MFA for admins (Preview) and the service account keeps popping up at organizations that use VBO and use my script to assess the impact that the new Baseline Policy for Admins in Azure AD might have. Up till today, they had no other option than to disable the Baseline Policy, or to exclude the VBO service account.

That stops today.

     

Call to action

If your organization uses Veeam Backup for Office 365, please upgrade to Veeam Backup for Office 365. Lightning speed backups, data protection reports and flexible retention options are also thrown in the mix, but in my opinion the multi-factor authentication support and the fact that Veeam Backup for Microsoft Office 365 v3.0.0.422 now connects to Office 365 securely by leveraging a custom application in Azure AD along with an MFA-enabled service account with its app password to create secure backups is the best reason to upgrade.

Security first! Thumbs up

   

Known issues when upgrading

Please be aware of the following upgrade notes:

  • Upgrade from the beta version of the application is not supported.
  • After upgrading from version 1.5 or 2.0 to 3.0, the nearest scheduled job run is displayed in the console as performing a Full sync, though actually it performs Incremental sync. The amount of transferred data, however, will show that only changes are being synchronized during that job session.
  • If you have edited the Config.xml file for Veeam Backup for Microsoft Office 365 manually, these modifications will not be preserved after the upgrade. You may need to make new custom settings (if necessary).

   

Further reading

What’s new in v3 of Veeam’s Office 365 backup 
NEW Veeam Backup for Microsoft Office 365 v3   
Veeam Backup for Office 365 v3 Product overview    
Veeam Backup for Office 365 v3 User guide  
Veeam Backup for Office 365 v3.0.0.422 Release notes

One Response to Veeam Backup for Office 365 now offers support for the Baseline Policy ‘Require MFA for Admins’

  1.  

    I found that VBO’s “modern auth” requires Azure AD legacy auth. Have you seen this? Am I missing something?

    https://www.mcbsys.com/blog/2019/07/veeam-o365-modern-auth-requires-legacy-auth/

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.