How to enable MFA for Office 365

Source: Veeam

Starting from the recently released version 3, Veeam Backup for Microsoft Office 365 allows for retrieving your cloud data in a more secure way by leveraging modern authentication. For backup and restores, you can now use service accounts enabled for multi-factor authentication (MFA). In this article, you will learn how it works and how to set up things quickly.

How does it work?

For modern authentication in Office 365, Veeam Backup for Microsoft Office 365 leverages two different accounts: an Azure Active Directory custom application and a service account enabled for MFA. An application, which you must register in your Azure Active Directory portal in advance, will allow Veeam Backup for Microsoft Office 365 to access Microsoft Graph API and retrieve your Microsoft Office 365 organizations’ data. A service account will be used to connect to EWS and PowerShell services.

Correspondingly, when adding an organization to the Veeam Backup for Microsoft Office 365 scope, you will need to provide two sets of credentials: your Azure Active Directory application ID with either an application secret or application certificate and your services account name with its app password:

Can I disable all basic authentication protocols in my Office 365 organization?

While Veeam Backup for Microsoft Office 365 v3 fully supports modern authentication, it has to fill in the existing gaps in Office 365 API support by utilizing a few basic authentication protocols.

First, for Exchange Online PowerShell, the AllowBasicAuthPowershell protocol must be enabled for your Veeam service account in order to get the correct information on licensed users, users’ mailboxes, and so on. Note that it can be applied on a per-user basis and you don’t need to enable it for your entire organization but for Veeam accounts only, thus minimizing the footprint for a possible security breach.

Another Exchange Online PowerShell authentication protocol you need to pay attention to is the AllowBasicAuthWebServices. You can disable it within your Office 365 organization for all users — Veeam Backup for Microsoft Office 365 can make do without it. Note though, that in this case, you will need to use application certificate instead of application secret when adding your organization to Veeam Backup for Microsoft Office 365.

And last but not the least, to be able to protect text, images, files, video, dynamic content and more added to your SharePoint Online modern site pages, Veeam Backup for Microsoft Office 365 requires LegacyAuthProtocolsEnabled to be set to $True. This basic authentication protocol takes effect for all your SharePoint Online organization, but it is required to work with certain specific services, such as ASMX.

How can I get my application ID, application secret and application certificate?

Application credentials, such as an application ID, application secret and application certificate, become available on the Office 365 Azure Active Directory portal upon registering a new application in the Azure Active Directory.

To register a new application, sign into the Microsoft 365 Admin Center with your Global Administrator, Application Administrator or Cloud Application Administrator account and go to the Azure Active Directory admin center. Select New application registration under the App registrations section:

 

Add the app name, select Web app/API application type, add a sign-on URL (this can be any custom URL) and click Create:

 

Your application ID is now available in the app settings, but there’re a few more steps to take to complete your app configuration. Next, you need to grant your new application the required permissions. Select Settings on the application’s main registration page, go to the Required permissions and click Add:

 

In the Select an API section, select Microsoft Graph:

 

Then click Select permissions and select Read all groups and Read directory data:

Note that if you want to use application certificate instead of application secret, you must additionally select the following API and corresponding permissions when registering a new application:

  • Microsoft Exchange Online API access with Use Exchange Web Services with full access to all mailboxes’ permissions
  • Microsoft SharePoint Online API access with Have full control of all site collections permissions

To complete granting permissions, you need to grant administrator consent. Select your new app from the list in the App registrations (Preview) section, go to API Permissions and click Grant admin consent for <tenant name>. Click Yes to confirm granting permissions:

 

Now your app is all set and you can generate an application secret and/or application certificate. Both are managed on the same page. Select your app from the list in the App registrations (Preview) section, click Certificates & secrets and select New client secret to create a new application secret or select Upload certificate to add a new application certificate:

 

For application secret, you will need to add secret description and its expiration period. Once it’s created, copy its value, for example, to Notepad, as it won’t be displayed again:

How can I get my app password?

If you already have a user account enabled for MFA for Office 365 and granted with all the roles and permissions required by Veeam Backup for Microsoft Office 365, you can create a new app password the following way:

  • Sign into the Office 365 with this account and pass additional security verification. Go to user’s settings and click Your app settings:
  • You will be redirected to https://portal.office.com/account, where you need to navigate to Security & privacy and select Create and manage app passwords:
  • Create a new app password and copy it, for example, to Notepad. Note that the same app password can be used for multiple apps or a new unique app password can be created for each app.

What’s next?

Now you have all the credentials to start protecting your Office 365 data. When adding an Office 365 organization to the Veeam Backup for Microsoft Office 365 scope, make sure you select the correct deployment type (which is ‘Microsoft Office 365’) and the correct authentication method (which in our case is Modern authentication). Keep in mind that with v3, you can choose to use the same or different credentials for Exchange Online and SharePoint Online (together with OneDrive for Business). If you want to use separate custom applications for Exchange Online and SharePoint Online, don’t forget to register both in advance in a similar way as described in this article.

The post How to enable MFA for Office 365 appeared first on Veeam Software Official Blog.


How to enable MFA for Office 365

How to build a disaster recovery plan and enable business continuity with Veeam

Source: Veeam

Here’s a true story from one of our customers. A gas explosion resulted in a major power failure downtown, which in turn left the company’s primary data center offline for a week. This is a classic example of an IT Disaster – unexpected and unpredictable, disrupting business continuity and affecting Always-On operations. We can only imagine how much it could cost that company to stay offline for a week (as much as losing their business, I’d say), if they didn’t have a reliable disaster recovery (DR) plan and an Availability solution to execute this plan.

A solid DR plan makes your company resilient to IT disruptions and able to restore your services in case of disaster with minimal to no impact on users and business operations. It’s not just making regular backups, but a complex IT infrastructure assessment and documenting (including hardware, software, networks, power and facilities), business impact analysis of applications and workloads and planning on staff, roles and risk assessment. And above all, there’s an essential testing and exercising of your disaster recovery plan. If you don’t test, how would you know that it works as expected?

Unlike physical infrastructures with all their complexity, virtualization gives more flexibility in management and processes allowing you to do more with less. For virtualized data centers, Veeam delivers joint capabilities of enabling data Availability and infrastructure management. By using Veeam Availability Suite, you cover multiple points in your DR plan at once and get:

  • Offsite replication with traffic optimization and advanced capabilities
  • Easier disaster recovery orchestration and recovery testing
  • Infrastructure assessment and documentation
  • Capacity planning and “What if” modelling
  • Backup and virtual infrastructures monitoring and reporting

These also address compliance audit needs by providing you with up-to-date information on backed-up workloads, backups reliability and actual data recovery time versus your SLAs. If staying compliant and ready for audits is important for you, I recommend you read the new white paper by Hannes Kasparick, Mastering compliance, audits and disaster recovery planning with Veeam.

Replication as a core disaster recovery technology

DR planning includes defining the lowest possible RTO to minimize the disruption of business operations. In terms of ability to restore failed operations in minutes, replication mechanism wins the game allowing you to instantly switch the failed workload to its ready-to-use “clone” to get the lowest-possible RTO. For DR purposes, standby replicas of production VMs are stored on a remote secondary site or in the cloud. Even if the production site goes down, like in my example with a major power failure, a remote site remains unaffected by the disaster and can take the load.

In the near future, Veeam will release a new solution for scalable, flexible and easier-to-use disaster recovery planning and orchestration – Veeam Availability Orchestrator. This new product will support disaster recovery scenarios for many VMs at multiple locations and provide automated, template-based documentation to meet compliance requirements. If you want to be the first to test it, register now to know when Veeam Availability Orchestrator is GA or to test the Beta right now!

Test your DR plan!

All data security and management standards (ISO family is not an exception) imply DR plan testing as a mandatory exercise. You can never know if everything will work as expected in cases of real disasters until you try it and run the planned procedures in advance. DR simulation will also allow you to ensure that your personnel are well-prepared for extreme IT situations and everyone mentioned in your DR plan is aware of the activities they need to perform. If you discover any drawbacks during DR testing – either human or software-related – you’ll have a good chance to fix your DR plan accordingly and thus potentially avoid serious disruptions in your business continuity.

Automated recovery verification for backups and replica restore points built in Veeam Backup & Replication (for no additional fees!) will save you much time and additional resources for testing. SureReplica allows to boot replicated VMs (VMware only for v9) to the necessary restore point in an isolated Virtual Lab and automatically perform heartbeat, ping and application tests against them. Also, you have an option to run your own customized tests – all without any impact on your production.

Final word

Disaster recovery planning is not just another bureaucracy, but a set of measures to maintain an organization’s business continuity. Built in compliance with international regulations and standards, a DR plan gives your customers a high level of confidence in your non-stop services, data security and Availability. Veeam helps you to stay compliant with both internal and external IT regulations, be ready for audit and be able to restore any system or data in minutes.

The post How to build a disaster recovery plan and enable business continuity with Veeam appeared first on Veeam Software Official Blog.

How to build a disaster recovery plan and enable business continuity with Veeam

Get to know the reference design for replication services with Veeam Cloud Connect v9

Source: Veeam

At the beginning of 2016 Veeam released the NEW Veeam Availability Suite v9 and one of the biggest enhancements in the software has been the new version of Veeam Cloud Connect, this time offering replication services.

The amount of new options, features and best practices for Veeam Cloud Connect v9 is so impressive that it deserved not just white paper, but a proper book! Luca Dell’Oca, EMEA Cloud Architect for Veeam, has recently presented his new Reference Architecture Guide for Veeam Cloud Connect v9, which goes far beyond your expectations and covers nearly everything you ever wanted to know about setting up cloud services with Veeam. One of the things that cloud services administrators and networking experts may value most in this eBook is the accuracy in providing lab examples as close to a real production environment as possible. And there’s even more – a printed version of the Reference Architecture Guide is coming soon, so you can always have it at hand!

For service providers, Veeam Cloud Connect with replication opens new and exciting revenue opportunities through DRaaS offerings. We keep saying that offering DRaaS services with Veeam is EASY and it really IS! This blog post is inspired by Luca’s Reference Architecture Guide and is meant to demonstrate you the fancy logic of Veeam Cloud Connect design. We’ll review the list of key Veeam Cloud Connect architecture components and their roles. This will help you as a service provider architect to easily navigate in the product documentation and start with VCC implementation.

Veeam Cloud Connect architecture

Veeam Cloud Connect works with both VMware vSphere and Microsoft Hyper-V virtual environments and leverages Veeam replication technology to create VM replicas at the cloud-based DR site. Its modular architecture includes a number of required and optional components – some of them are cloud-specific and others are a part of Veeam Backup & Replication infrastructure that you’re already familiar with. Thus, to provide DRaaS services with Veeam Cloud Connect you need to have in your infrastructure a Veeam backup server, Veeam Enterprise Manager, proxies and WAN accelerators. What else? On the scheme below you can see several highlighted components – Veeam Cloud Connect Portal, cloud gateways and network extension appliances – all proprietary to Veeam Cloud Connect. Let’s now review their roles and understand their specifics.

Replication services with Veeam Cloud Connect v9

Veeam Cloud Connect Portal

Veeam Cloud Connect Portal (or Cloud Portal) is critical for DRaaS cloud services offerings. Using Cloud Portal web UI, your tenants can execute their cloud failover plans and instantly switch to their cloud-based VM replicas in case of emergency. The web-based Cloud Portal operates over a single 6443 TCP port and can be accessed from any device and location over an HTTPS connection.

Replication services with Veeam Cloud Connect v9

Cloud Portal comes as an additional component of Veeam Enterprise Manager. You need to choose its installation during the Veeam Enterprise Manager setup. It’s recommended to use a dedicated server for Veeam Enterprise Manager with Cloud Portal installation.

Replication services with Veeam Cloud Connect v9

Cloud Portal UI is something your tenants will be using regularly and its look can be easily customized to become a part of your branding strategy! You can apply your company’s colors, name and even change the portal name. For more details on this, I suggest you to read my colleague’s blog post Veeam Cloud Connect Portal branding.

Cloud Gateways

To establish a secure and reliable connection between tenant’s and service provider’s infrastructures Veeam uses cloud gateways – network appliances running on Windows OS (see the full list of requirements). Cloud gateways enable the single-port connectivity for Veeam Cloud Connect by tunneling all data traffic over a single TCP or UDP port (for DRaaS services), secured with an SSL certificate.

Cloud gateways also help to balance the traffic load on the service provider side. For better scalability, redundancy and load balancing you can install several cloud gateways and create a pool of such network appliances.

Replication services with Veeam Cloud Connect v9

Network extension appliances

The network extension appliance is a Linux-based auxiliary VM created both on tenant and service provider virtualization hosts with source VMs and their replicas to establish communication between them. Network extension appliances are mandatory for enabling DRaaS services and are installed automatically by Veeam Backup & Replication.

These tiny VMs are responsible for failover capabilities. During a full-site failover, the network extension appliance provides internet access for replica VMs and makes replicas accessible from the internet. During partial site failover, it extends the customer network to the service provider environment and allows production VMs on the tenant side to communicate with their replicas in the cloud.

Replication services with Veeam Cloud Connect v9

Summary

Veeam Cloud Connect adds just a few specific components to a service provider infrastructure, including a Cloud Portal, cloud gateways and network extension appliances – all required if you’re going to provide DRaaS services. They enable a single-port connectivity between tenant and service provider hosts, route replication traffic and commands, allow tenants to perform full and partial site failover and provide a web-based management portal.

Veeam Cloud Connect not only provides you an easy and efficient way to extend your service offering with BaaS and DRaaS, but also allows you to do it within your company’s branding strategy familiar to your tenants.

Additional resources

Veeam Availability Orchestrator

The post Get to know the reference design for replication services with Veeam Cloud Connect v9 appeared first on Veeam Software Official Blog.

Get to know the reference design for replication services with Veeam Cloud Connect v9