How to: O365 Backup & Archive Setup (simple auth)

This KB will run you through the steps of setting up your o365 organisation's backups using simple authentication.

Create a Microsoft 365 Backup with Simple Authentication

Permissions:

There are several permission requirements for your Office 365 Backup to function correctly. These permissions are:

  • Application Impersonation role - to get items from users. To allow this role assignment, the account must be granted the Organization Management permission.
  • Organizations Configuration role - To manage role assignments.
  • View-Only Configuration role - to obtain the necessary organization configuration parameters.
  • View-Only Recipients role - to view the list of mailbox recipients.
  • Role Management role - to manage and verify role assignments.
  • MailboxSearch or MailRecipients - to backup groups.
  • SharePoint Administrator role - to get items from SharePoint.

If the above roles are not granted, further processing will not be possible. The above roles can be assigned by using either of the following methods:

  • Using the Microsoft Admin Portal.
  • Manually, by using Exchange Management PowerShell cmdlets.

Ensure that your admin user has the appropriate permissions to access all Mailboxes, OneDrives, and Sharepoint Sites. Please note that we are not responsible for data that has not been backed up because of incorrect setup.

It is a best practice to create a separate Office 365 Admin Group and Service Account that contains the least amount of roles and is utilised purely for the Office 365 Backup connection. Further information on why this is best practice can be found in Overview: Backup for Office 365 Performance & Limitations. In order to action this, we have included instructions for both the O365 Admin Portal and via a PowerShell script.

Applying permissions for Simple Authentication

To apply the required permissions via the Microsoft Admin Portal:

  1. Open the Microsoft Admin Portal.
  2. Select the Admin Centers dropdown, and select Exchange.
  3. On the left hand menu, select Permissions.
  4. Under the Admin Roles menu, select Add Add icon and provide a new name for our custom O365 Permissions Group.
  5. Select the Application Impersonation, Organizations Configuration, View-Only Configuration, View-Only Recipients, Role Management, MailboxSearch and MailRecipients roles to this permission group, and assign your designated O365 account as a member to this permission group.
  6. Save the group.
  7. Return to the Microsoft Admin Portal.
  8. Select Users on the left-hand side menu, and select Active Users.
  9. Select the user that you are assigning permissions for (Also known as the backup service account).
  10. On the menu that opens, locate Roles and select Edit.
  11. Select Customized administrator, and select SharePoint administrator.
  12. Adding an Authentication policy:
        1. Connect to the Exchange Online Module 
          1. Firstly, open PowerShell as an administrator
          2. Install the Exchange module by running the command:
            Install-Module -Name ExchangeOnlineManagement -Force
          3. Then, import this module using this command - please select 'yes' to any questions that pop-up
            Import-Module ExchangeOnlineManagement -Force
          4. Sign in to your microsoft account, by running
            Connect-ExchangeOnline
            and enter in your details.
        2. Determine if there is a pre-existing authentication policy in place
          1. Run the command
            Get-AuthenticationPolicy
          2. If there is no output, then there is no policy in place and one will need to be created. Please follow the steps in 12-3

            NOTE: If you receive an error in PowerShell:
            "The term Get-AuthenticationPolicy" is not recognised"
            Please doublecheck you have enabled the Sharepoint and Exchange admin roles for your new user as in step 11-d

          3. If there is already a policy in place,  you will need to ensure that "true" is listed for "AllowBasicAuthPowershell" and "AllowBasicAuthWebService". If it is not, it will need to be adjusted using this Microsoft Article as a guide. Once done, you will need to assign he policy to your Backup service account as in step 3-c bellow
        3. The following is an example of the commands you can use to create an authentication policy and apply the required adjustments. 
          1. To create the authentication policy, run the following command in the opened PowerShell window:
            New-AuthenticationPolicy -Name "Allow Basic Auth"
          2. To enable AllowBasicAuthPowershell and AllowBasicAuthWebService in the new authentication policy run the commands:
            Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthPowershell

            Set-AuthenticationPolicy -Identity "Allow Basic Auth" -AllowBasicAuthWebService
          3. To assign this policy to the backup service account, run the command:
            Set-User -Identity <UserIdentity> -AuthenticationPolicy "Allow Basic Auth"
            Note: Where <UserIdentity> is the backup service account.

    You have now set all required permissions for Probax O365 Backups.

Linking your organisation account on Hive

  1. Log into Probax Hive.
  2. Within the right-hand panel, select the Accounts tab and navigate to the desired account. (In the event you do not yet have an account for your organisation, simply select Create New Account near the upper-right section of the site).
  3. Select the option Manage Storage Spaces at the upper-right corner of the site within the Resources tab.
  4. Select the option Add New Storage Space.
  5. Navigate to the Office 365 section. Select Change to Basic Authentication at the top of the wizard and fill in the required details.
  6. Once the account has been successfully added, your organisation will appear similar to what is shown below.