Adding an organization fails with the “401: Unauthorized” and “Connect to PowerShell Access Denied” errors in Office 365 tenants with enabled Security Defaults

Challenge

Adding new Office 365 tenant organization to the Veeam Backup for Microsoft Office 365 scope fails with the “401: Unauthorized” and “Connect to PowerShell Access Denied” errors, or Veeam Backup for Microsoft Office 365 operations interrupted for Office 365 tenants with enabled Security Defaults. 

Cause

Security Defaults in Azure Active Directory (Azure AD) are introduced by Microsoft to implement the same basic level of security across all Office 365 tenants.  

Security Defaults are a set of pre-configured protection policies that come as a successor of the preview Baseline security policies. Once enabled Security Defaults disable baseline policies, enforce the following policies at once and cannot be modified: 

• Require MFA for all users, including administrators and Azure management 
• Require Azure MFA registration
• Block legacy authentication

In order to provide customers a wider set of data protection functionality, Veeam Backup for Microsoft Office 365 utilizes legacy authentication protocols for Exchange Web Services (EWS), Exchange Online PowerShell and SharePoint Web Services connections in cases where Microsoft Graph REST API calls are not yet available. Blocking legacy authentication with Security Defaults causes disruptions in Veeam Backup for Microsoft Office 365 operations, making it unable to authenticate to the above-mentioned Office 365 endpoints under MFA-enabled user accounts with app passwords.  

Starting February 29th, 2020 Microsoft is enforcing Security Defaults protection policies by default on all net new Office 365 tenants.  

Microsoft Partners in order to stay compliant are encouraged to meet the partner security requirements and advised to do so in one click by enabling Security Defaults.  

Solution

It is always Veeam’s goal to release support for platform incompatibilities as fast as possible (almost always within 90 days), as our partners continue to enhance their offerings. Veeam R&D is working on a solution to fully support Office 365 tenants enforced with the new Security Defaults. Note that some functionality limitations may apply to this support depending on the available Microsoft Graph API. To be the first to know about the availability of this new version of Veeam Backup for Microsoft Office 365, please follow the updates on the product download page and Veeam Community Forums.  

Today, to comply with Microsoft Partner security requirements while ensuring the protection of your Office 365 business-critical data with Veeam Backup for Microsoft Office 365, you need to temporarily disable Security Defaults if those are already in use and replace them with the following Conditional Access policies (see more in this Microsoft article): 

1. Require MFA for all users, including administrators and Azure management (see more details in this Microsoft article) 
2. Require Azure MFA registration (see more details in this Microsoft article) 
3. Block legacy authentication with an exception for a service account(s) used by Veeam Backup for Microsoft Office 365 (see more in this Microsoft article). It’s important to understand that allowing for legacy authentication doesn’t contradict Microsoft partner security requirements. To fully comply Microsoft Partners must enforce multi-factor authentication for all users in their tenant without any exceptions (see more in this Microsoft article). 

Note: Disabling previously enabled Security Defaults does not take effect immediately, it takes time to be applied across your Office 365 tenant.  

Note: Conditional Access policies is a feature available for Office 365 tenants with Azure AD Premium subscription.