Azure security policies prevent CodeTwo software from connecting to Office 365
Problem:
After enabling Security defaults in the Azure Active Directory, you are unable to configure a connection to Microsoft 365 (Office 365) in your CodeTwo software. You receive the following or similar error:
The request failed. The remote server returned an error: 401 Unauthorized. Cannot contact web site '' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'. Failed to connect to SharePoint. Identity Client Runtime Library (IDCRL) did not get a response from the Login server.
Solution:
If you experience this problem, it probably means that legacy authentication protocols are disabled in your Microsoft 365 tenant. These protocols are disabled by default when you enable Security defaults in the Azure AD.
If you block legacy authentication protocols in Microsoft 365, CodeTwo Backup will not be able to connect to your SharePoint Online environment (Fig. 1.), and you will also experience problems when running SharePoint backup and restore jobs in the program.
To fix this, try the solutions provided below:
- Disable Security defaults that block the legacy authentication protocols
- Enable access to SharePoint Online resources using non-modern authentication protocols
- Use an app password instead of a regular Microsoft 365 (Office 365) password when configuring a connection to Office 365 in your CodeTwo software (provided multi-factor authentication (MFA) is turned on in your tenant). Learn more from this article
Problems connecting to Exchange Online
In the case you are using CodeTwo Office 365 Migration/CodeTwo Exchange Migration version prior to 3.2.x, or CodeTwo Backup version prior to 2.3.x, you may experience similar issues when connecting to Exchange Online. If so, make sure to update your program to the newest version:
If you insist on using the older version of our migration tool, e.g. to finish your current migration tasks, apply the solutions provided below in this article.
Fig. 1. CodeTwo Backup fails to connect to Office 365 when the policy that blocks legacy authentication is enabled.
Disabling Security defaults in Azure Active Directory
Follow the steps below to disable Security defaults in Azure AD that block basic authentication.
Important
Keep in mind that by completing the following steps you will enable basic authentication for all users in your Microsoft 365 (Office 365) organization. Once you complete your backup tasks, you can re-enable these policies.
- Open the Microsoft Entra admin center.
- In the left-hand menu, go to Azure Active Directory (or Identity) > Overview, click the Properties tab and the Manage Security defaults link (see Fig. 2.).
- Set the Security defaults option to Disabled, choose a reason for disabling Security defaults, and click Save (Fig. 2.).
Fig. 2. Disabling Security defaults in Azure Active Directory.
To enable Security defaults again, follow the same steps, but select Enabled instead in step 3 (Fig. 2., item 5).
Enabling access to SharePoint Online resources using non-modern authentication protocols
The root cause of the error may be that non-modern (legacy) authentication protocols are disabled in your SharePoint Online environment. You can enable them by setting the LegacyAuthProtocolsEnabled parameter to True.
It is also recommended to set the RequireAcceptingAccountMatchInvitedAccount parameter to False, which removes the requirement for external users to sign in using the same account to which sharing invitations are sent. When enabled, this feature may also be preventing CodeTwo software from connecting to your resources.
Read on to find out how to make the necessary changes to these parameters by using SharePoint Online Management Shell. If you prefer to make the changes directly in the SharePoint admin center, see this article for instructions:
- Open the
SharePoint Online Management Shell command prompt. - Connect to your SharePoint Online by using the following command:
Connect-SPOService -Url https://<organization>
-admin.sharepoint.com where <organization>
is the organization (tenant) name set in Office 365. - Run the following cmdlets:
Set-SPOTenant -LegacyAuthProtocolsEnabled $True Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $False
Info
Processing the changes may take up to 12 hours, so you should temporarily refrain from making any further connection attempts with your CodeTwo product. If you should experience any authentication issues after making the changes, run the same cmdlets but with the opposite values. This will allow you to revert your configuration back to the previous state.
If you should experience any authentication issues after making the changes, run the same cmdlets but with the opposite values. This will allow you to revert your configuration back to the previous state.
Checking if sign-in attempts were successful
The Microsoft Entra admin center (Azure Portal) allows you to check if users’ attempts to sign-in to Microsoft 365 were successful. Importantly, this feature also provides information on why an attempt was unsuccessful, which may be useful for troubleshooting. Any sign-in attempts made by CodeTwo software will also be displayed on the list.
To open the sign-in list:
- Open the Microsoft Entra admin center.
- Go to Azure Active Directory (or Identity) > Users > All users > Sign-in logs.
A table containing detailed information on all sign-in attempts will be displayed (Fig. 3.).
Fig. 3. A failed sign-in attempt made by CodeTwo Backup.
| Related products: | CodeTwo Backup for Exchange, CodeTwo Backup for Office 365 |
| Categories: | Troubleshooting |
| Last modified: | July 14, 2023 |
| Created: | October 2, 2019 |
| ID: | 825 |
