Microsoft, in late 2019, announced Azure Active Directory ‘Security Defaults‘ as a simple one-click approach for customers to instantly harden their environment and compel stronger security standards. With it, MFA was enabled for all accounts, Basic Authentication was blocked and unattended PowerShell scripts were prevented. It also meant that there were problems for some third-party software that relied on scripted automation, most notably backup.
In Feature Release 11.20, Commvault introduced Modern Authentication support, however the unattended OAuth2 ROPC Authentication flow would fail with error code AADSTS50076 because the “User did not pass the MFA challenge (non interactive)”. This meant that customers that wanted to protect Exchange Online had to rely on journal forwarding to an Exchange Server or configure a ContentStore SMTP Server client.
The good news is that, in this article, I will be highlighting a recent hidden gem that will now allow customers to protect Exchange Online User Mailboxes. There is an additional setting, that when applied to the Exchange Mailbox Access Node, will instruct Commvault to ignore the configured Service Account for PowerShell automation. By applying this change, Commvault will just use the configured Microsoft Graph App Registrations for both administrative commands and backup.
To implement this, Commvault will need to be updated to at least Feature Release 11.22, although I recommend 11.23 as it has a more precise User Mailbox discovery. Also with Feature Release 11.23, Commvault can protect the user Archive Mailbox without using service accounts. The only Exchange data protection feature I have observed, that is not yet supported, (but will be soon) are Exchange Public Folders.
Also, at the time of writing, this is exclusive to the Commvault Command Center by creating an O365 Application. This will create an Exchange Mailbox instance of ‘Environment Type = Exchange Online (Access Through Azure Active Directory)’. Future releases of Commvault will protect the other Environment Types; ‘Exchange Online (Access Through On-Premises Active Directory)’ and ‘Exchange Hybrid’.
The hardware requirements remain identical (Index Server with Exchange Role plus an Access Node). Within Azure you will need to manually create the App Registrations that will be entered into the Command Center. The backup storage targets and RPO will be configured under a Command Center ‘Server Plan‘ and the message level protection will be configured under an ‘Office365 Plan‘ (similar to Exchange Configuration Policies).
Configuration
Name: bDisablePSForModerAuth
Category: iDataAgent
Type: INTEGER
Value: 1
Then you will need to add an O365 App in the Command Center.
and you either create your own App Registrations in the Azure Portal or optionally you can download the ‘CVO365CustomConfigHelper.exe’ toolkit that is available from the FR11.23 configuration.
In Conclusion
Note that due to there being one less powerful Service Account configured in your Commvault environment, you may even want to consider this security hardened backup configuration even if you have Security Defaults disabled and are using Conditional Access Policies through your Azure Premium Subscription.
I recently implemented this for both FR11.22 and then after a few days Commvault was updated to FR11.23 to protect the Archive Mailboxes. I had already created an internal utility to extract Exchange Mailbox Job activity and was able to quickly tweak it to show how many messages were initially protected and subsequently how many more were protected once Office 365 Plan protected user Archive Mailboxes.
I have used that data in a Custom Report I created that shows the initial backup activity for my user mailbox and the subsequent protection of my Archive Mailbox. This report reads the extracted Exchange Mailbox job activity data and shows the number of messages protected with each backup job for each mailbox chosen. If you are interested in this report then feel free to reach out to us.
