Knowledge Base

Entra ID security policies prevent CodeTwo Backup from connecting to SharePoint Online

Problem:

After enabling Security defaults in Microsoft Entra ID (Azure Active Directory), you are unable to configure a connection to SharePoint Online (Microsoft 365) in CodeTwo Backup. You receive the following or similar error:

Failed to connect to SharePoint by using legacy authentication.

The request failed. The remote server returned an error: 401 Unauthorized.

Cannot contact web site '' or the web site does not support SharePoint Online credentials. The response status code is 'Unauthorized'.

Failed to connect to SharePoint. Identity Client Runtime Library (IDCRL) did not get a response from the Login server.

Solution:

If you experience this problem, it probably means that legacy authentication protocols are disabled in your Microsoft 365 tenant. These protocols are disabled by default when you enable Security defaults in Entra ID. 

CodeTwo Backup uses Modern Authentication (OAuth 2.0) to connect to Exchange Online and SharePoint Online. If you still have connections based on legacy Basic Authentication defined in the program, reconfigure them as shown here. This is the recommended approach to ensure the highest security for your data in Microsoft 365.

Certain actions:

  • restoring custom web part page layouts or surveys that don't allow for multiple responses
  • creating new team sites from within CodeTwo Backup

still require using Basic Authentication (learn more). If you need to use this legacy method, e.g. to restore the above-mentioned data, complete the steps below first.

    Problems connecting to Exchange Online

    In the case you are using CodeTwo Office 365 Migration/CodeTwo Exchange Migration version prior to 3.2.x, or CodeTwo Backup version prior to 2.3.x, you may experience similar issues when connecting to Exchange Online. If so, make sure to update your program to the newest version:

    If you insist on using the older version of our migration tool, e.g. to finish your current migration tasks, apply the solutions provided below in this article.

    To disable Security defaults in Entra ID and allow CodeTwo Backup connect to SharePoint Online using Basic Authentication, follow the steps below.

    Important

    Keep in mind that by completing the following steps you will enable Basic Authentication for all users in your Microsoft 365 organization. Once you complete your backup tasks, you can re-enable security policies in your tenant.

    1. Open the Microsoft Entra admin center.
    2. In the left-hand menu, go to Azure Active Directory (or Identity) > Overview, click the Properties tab and the Manage Security defaults link (see Fig. 1.).
    3. Set the Security defaults option to Disabled, choose a reason for disabling Security defaults, and click Save (Fig. 1.).

    Disabling Security defaults in Microsoft Entra ID.
    Fig. 1. Disabling Security defaults in Microsoft Entra ID.

    Now, you should be able to successfully complete the SharePoint connection wizard in CodeTwo Backup.

    Re-enabling Security defaults

    To enable Security defaults again, follow the same steps, but select Enabled instead in step 3 (Fig. 1., item 5).

    If you are still unable to connect to your SharePoint Online environment despite disabling Security defaults, verify and change the authentication related settings for your SharePoint environment, as explained below.

    Enabling access to SharePoint Online resources using non-modern authentication protocols

    Non-modern (legacy) authentication protocols might be disabled in your SharePoint Online environment. You can enable them by setting the LegacyAuthProtocolsEnabled parameter to True.

    It is also recommended to set the RequireAcceptingAccountMatchInvitedAccount parameter to False, which removes the requirement for external users to sign in using the same account to which sharing invitations are sent. When enabled, this feature may also be preventing CodeTwo software from connecting to your resources.

    Read on to find out how to make the necessary changes to these parameters by using SharePoint Online Management Shell. If you prefer to make the changes directly in the SharePoint admin center, see this article for instructions:

    1. Open the ps SharePoint Online Management Shell command prompt.
    2. Connect to your SharePoint Online by using the following command:
      Connect-SPOService -Url https://<organization>-admin.sharepoint.com

      where <organization> is the organization (tenant) name set in Office 365.

    3. Run the following cmdlets:
      Set-SPOTenant -LegacyAuthProtocolsEnabled $True 
      Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $False

    Info

    Processing the changes may take up to 12 hours, so you should temporarily refrain from making any further connection attempts with CodeTwo Backup. If you should experience any authentication issues after making the changes, run the same cmdlets but with the opposite values. This will allow you to revert your configuration back to the previous state.

    Checking if sign-in attempts were successful

    The Microsoft Entra admin center allows you to check if users’ attempts to sign-in to Microsoft 365 were successful. Importantly, this feature also provides information on why an attempt was unsuccessful, which may be useful for troubleshooting. Any sign-in attempts made by CodeTwo Backup will also be displayed on the list.

    To open the sign-in list:

    1. Open the Microsoft Entra admin center.
    2. Go to Azure Active Directory (or Identity) > Users > All usersSign-in logs.

    A table containing detailed information on all sign-in attempts will be displayed (Fig. 2.).

    A failed sign-in attempt made by CodeTwo Backup.
    Fig. 2. A failed sign-in attempt made by CodeTwo Backup.

    Was this information useful?
    Our Customers: