Six weeks ago, we looked at how Veeam Backup for Office 365 works in tenants with multi-factor authentication required for admin roles. With Security Defaults being the norm in newly created Azure AD tenants and their respective Office 365 tenants, it’s a good time to look at how Veeam Backup for Office 365 can work without using legacy authentication protocols.
Veeam Backup for Office 365 version 4c (build 22.214.171.1249) is the first version of Veeam Backup for Office 365 that is able to work without a user account. Instead of user credentials it only leverages the application registration in Azure Active Directory to communicate with Microsoft’s Application Programming Interfaces (APIs).
When you create a new organization in Veeam Backup for Office 365, on the Office 365 connection settings page, a new option is introduced labeled Allow for using legacy authentication protocols. By default, the option is not selected:
This means that with these default settings, Veeam Backup for Office 365 can be used with tenants that have Security Defaults enabled.
Benefits of using API-only mode
The big benefit of using API-only mode is that admins can successfully disable legacy authentication protocols and/or enable the Security Defaults feature in their organization’s Azure AD tenant if Veeam Backup for Office 365 was the last system, service or application that uses it.
Drawbacks of using API-only Mode
Veeam has long used an user account to offer full coverage of the backup and restore needs that Office 365 admins have. Meanwhile, Microsoft has been busy improving their APIs to offer more functionality, but it doesn’t offer full coverage, today.
In API-only mode, the following tasks are not supported, when compared to using Veeam Backup for Office 365 with both the application registration and user credentials:
- Discovery Search and Public Folder mailboxes are not supported.
- Dynamic Distribution groups are not supported.
- The type property for shared and resource/equipment mailboxes cannot be resolved. Such mailboxes will be available for backup with a general ‘User’ type.
- SharePoint Web Parts can only backed up if their ‘exportmode’ property is enabled. Non exportable Web Parts are not supported.
- OneNote restore is not supported.
- SharePoint Web Part customized template cannot be preserved upon a restore. All Web Parts will be restored with the default template.
- The ‘Allow multiple responses’ setting in survey lists within team modern sites is not preserved upon a restore.
- The ‘Measure-VBOOrganizationFullBackupSize’ cmdlet is not supported.
Additionally, application registration are harder to audit than user accounts, which might lead to a different approach to auditing of the Azure AD tenant.
Leaving both legacy authentication (non Multi-factor Authentication-capable authentication) and legacy protocols behind, Veeam Backup for Office 365 is a shining example of an application that adheres to the quickly changing realities of cloud computing.