Starting November 1st, 2024, Azure ACS will stop working for new tenants. This change affects Commvault's ability to configure new app registrations for SharePoint Online when you use the custom configuration (advanced) option.

Details

• All existing Azure apps will continue to function until April 2nd, 2026, assuming the tenant has DisableCustomAppAuthentication $False.
• There will not be an option to extend using Azure ACS with SharePoint Online beyond April 2nd, 2026.
• This change impacts both existing and new customers that use the Commvault SharePoint Online product.
• This change is related to authorizing Azure apps created for backing up SharePoint Online data.
• Any new Azure apps created after November 1st, 2024, must use certificate-based authentication unless the tenant has DisableCustomAppAuthentication $False.

NOTE: For SharePoint Online tenants created after November 1, 2024, Microsoft is restricting the modification of DisableCustomAppAuthentication on new tenants. Due to this change, you must upgrade to Commvault Platform Release 11.36.28 or later.

Symptoms

Commvault Versions 11.34 and Earlier:

• When you attempt to perform a Verify connection operation from the SharePoint Online Configuration page, a "SharePoint app principal missing" message appears.

• Backup operations will fail with the following error:

Error code: [27:364]
Description: Failed to validate any of the configured Azure Apps against the SharePoint Tenant Admin site. 1) Please verify the SharePoint Tenant Admin Url. 2) Please check the credentials and permissions for the configured apps. 3) Please ensure Custom App authentication is enabled on the SharePoint tenant.
Source: AccessNode, Process: SharePoint

• The SharePoint.log on the Access Node will report the following:

9616  1     11/14 08:56:14 15496 1    ParallelContextCache CheckOffice365CredModern - Office365 app credentials incorrect : 
9616  1     11/14 08:56:14 15496 1    ParallelContextCache CheckOffice365CredModern - Error is: The remote server returned an error: (401) Unauthorized.
9616  256c  11/14 08:56:14 15496 SharePointIDA::CVSPInterfaceWrapper::Initialize(242) - Failed to validate credentials for any apps. Can't proceed.
9616  256c  11/14 08:56:14 15496 SharePointIDA::SharePointBackupCoordinator::initialize(270) - An internal error occurred. (ERROR_INTERNAL_ERROR.1359), Unable to authenticate any app for backup (W32.1359): 0x8007054F:{SharePointIDA::SharePointBackupCoordinator::initialize(270)/Failed to initialize server interface} + {SharePointIDA::CVSPInterfaceWrapper::Initialize(243)/W32.1359.(An internal error occurred. (ERROR_INTERNAL_ERROR.1359))-Unable to authenticate any app for backup}
9616  256c  11/14 08:56:14 15496 DistributedIDA::CMaster::handleEventError(1153) - 0x8007054F:{DistributedIDA::CMaster::initialize(488)} + {SharePointIDA::SharePointBackupCoordinator::initialize(270)/Failed to initialize server interface} + {SharePointIDA::CVSPInterfaceWrapper::Initialize(243)/W32.1359.(An internal error occurred. (ERROR_INTERNAL_ERROR.1359))-Unable to authenticate any app for backup}

Commvault Versions 11.36.28 and Later

• The message "Failed to update azure app" will be displayed when generating a certificate if insufficient permissions have been provided to the app registration.

Causes

As part of its evolution of Microsoft 365 solutions, Microsoft will be retiring the use of Azure ACS (Access Control Services) for SharePoint Online.

Resolution

Commvault has added support to generate certificates for SharePoint Online app registrations in Commvault Platform Release 2024E (11.36.28) and later. If you are running an earlier version and attempting to add a new app registration to the SharePoint Online client, then you will be required to upgrade to Commvault Platform Release 2024E (11.36.28) or to set DisableCustomAppAuthentication $False for the tenant.

Commvault Versions 11.36.28 and Later

How to add a certificate to an existing app registration:

• Before beginning these steps, verify that your existing app registration has been assigned the correct API permissions.

1. Navigate to the SharePoint pseudo client and then change to the Configuration tab.

2. Under the SharePoint connections settings section, use the action menu and select Generate certificate.

3. Once the certificate has been generated, you will see the following confirmation:

4. In the Azure portal, you can confirm that a certificate has been created by navigating to the app registration, expanding out Manage, and then clicking on Certificates & secrets.

Commvault Versions 11.34 and Earlier

• How to check and set the value of DisableCustomAppAuthentication within the SPO tenant:

Please note: The following steps should be taken from a non-Commvault system that has internet access.

1. Before getting started, verify that you are running the latest version of the SharePoint Online Management Shell.

2. Identify the Tenant Admin Site URL for your Commvault SharePoint Online Client.

• This can be done from the Configuration page of the SharePoint Online Client within the Command Center.

3. Connect to the Tenant Admin Site URL using SharePoint Online Management Shell.

     PowerShell> Connect-SPOService https://YOUR-SITE-HERE-admin.sharepoint.com/

4. Check to see the current value of DisableCustomAppAuthentication.

PowerShell> Get-SPOTenant |fl DisableCustomAppAuthentication

5. If the value is set to True, the following command can be run to set it to False.

PowerShell> Set-SPOTenant -DisableCustomAppAuthentication $False

6. Recheck the value to ensure that it has been set correctly to False by rerunning the command in step 4.

7. With this value set to false you can now create App Registrations for SharePoint Online without the need of a certificate while utilizing the steps outlined here.