Multi Factor Authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. Different systems can use different factors that can be used to prove the identity. This is also the case for Microsoft Azure. The Azure App registration process leverages the MFA framework where a combination of App ID, Secret or Certificate can be used as authentication factors. This article explores the steps on how to setup the Azure App registration to let a specific a Backup application like Veeam Backup for Microsoft Office 365 to connect and be authorized to read specific types of data.
An application that is used to backup Office 365 Data requires access to the Office 365 Tenant. The “service account” under which the Backup and Restore jobs are operated needs to be verified and authorized. The MFA offers additional security when challenging the service account.
Veeam Backup for Microsoft Office 365 offers the option to connect and protect the Office 365 Tenant using either:
- Basic Authentication (Username and Password)
- Modern Authentication (Username, Password, App ID, App Secret or App Certificate)
This article explores the options to setup an Azure App that will be paired with a specific service account to run backup and restore jobs. This service account doesn’t need to be necessarily an “Admin” user and certainly needs to have specific Exchange, SharePoint and OneDrive permissions granted as covered in the next article.
The Azure App in this case is a “Web” type and allows to access, within the Microsoft Graph APIs, to securely access the Office 365 Tenants data. Veeam Backup for Microsoft Office 365 leverages exactly the same Microsoft Graph APIs (and others like EWS and SPO) and their Permissions to backup and restore data. Within the Azure App it is also possible to define which Permissions will be available. This part is important as it defines or restrict the type of information this Azure App is entitled to.
And finally an App Password or App Secret which will be used as an authentication factor for the MFA challenge. In this instance a new Azure App registration is configured with the App Secret (Password) instead of using an App Certificate.
The rest of the article shows the steps to create an Azure APP, obtain the App ID and App Secret.
How to setup Azure App registration
From the main Azure Portal the Azure Active Directory section includes the links to setup an Azure App Registration.
The App registration is available (at the time of writing) in two flavors: legacy and new. This one refers to the new one.
From this panel the option to review the existing ones (system and custom) and also create a new Azure App registration.
Next is to specify a friendly name which will be used to identify this Azure App. Veeam-VBO in this case. From the same page the option to specify which users will be allowed to use this Azure App as an authentication factor. By default this is limited to the Users within the Azure AD tenant. It can also be extended to other users in other organizations and other Microsoft Accounts like Skype, Xbox, Outlook, Live). In the Redirect URI the Web type and the URL can be specified. This field can be changed at any time.
At this point the Azure App is created and shows the relevant information like the App ID. This is an important parameter which is used to setup the Modern Authentication. Next is to configure the API Permissions for this Azure App.
From the API permissions section the option to add ad enable the required API Permissions.
The default API Permission for the Microsoft Graph is the User.Read.
By hitting Grant admin consent this Permission is granted. In the next step other two API Permissions need to be added for the Microsoft Graph.
Bu selecting Microsoft Graph it loads a new section where to add the extra Permissions.
The Permission can be a Delegated Permission or Application Permission. The ones required are the Application Permissions.
At this point there are two Permissions that should be added. First one is Directory.Read.All. It can be added browsing to the Directory section or simply searching for this one from the search field above the list.
The second one to add is Group.Read.All.
Next step is to grant access for these Permissions to the newly created Azure App. The Grant admin consent will do that. This works only if the logged in user in the Azure Portal has such permissions. This can also be configured per account accessing the Portal. Global Admin has full access by default.
A new message will pop up to confirm the selection.
Now that the Azure App registration is completed with the App ID and App Permissions the next step is to choose between the App Certificate or the App Secret (Password). This second part will be used as well as an authentication factor. In this instance an App Secret is created.
All is required is a descriptive name (for this secret password) and the expiration date between 1 year, 2 years or never.
Upon creation the App Secret shows the value and it is also a good idea to copy this one in a safe location. It will be hidden as soon as the page is saved. In case the password is forgotten or compromised a new one can be generated. For the same reason better using a short expiration period. The shortest is 1 year.
Now everything is ready to create a service account in Azure AD and associate this one the Azure App. this account with MFA enabled will then be able to pass the MFA challenge providing APP ID, App Secret, Username and Password.
Hi, by ‘Now everything is ready to create a service account in Azure AD and associate this one the Azure App’ what exactly do you mean? is it setting the service account as owner for the app?
Thanks for your comment and apologies for late reply. It’s busy days.
Yes, if you check the properties of the Azure app it is possible the add the owners. By default is the account signed in Azure portal when creating the app.
“Now everything is ready to create a service account in Azure AD and associate this one the Azure App’”… how do you create a service account with MFA that doesn’t need phone/email info in Azure AD? And how do I set a password so it doesn’t expire? (only thing i’ve found is a bit of powershell on the last part)
Apologies for late reply but just missed your message.
I believe the email/phone call/phone text are the only mechanisms that can be used to challenge authentication.