1. Knowledge Base
  2. Microsoft Office 365 Backup & Archive

How to: O365 Backup & Archive Setup

This article will show you how to set-up permissions and backup your O365 organisation.

From accidental deletion of accounts and data to malicious intent, here at Probax we believe that you can never be too prepared for any disastrous scenarios. That is why we support backups for Microsoft 365. 

Before you get started:

Licensing:

Please review our Microsoft 365 Backup & Archive FAQ to understand how the solution works and correctly license the solution. Please note that failure to license the solution correctly is in breach of our Acceptable Use Policy

Authentication

Microsoft 365 Backup & Archive supports the following authentication types:

Create a Microsoft 365 Backup with Modern Authentication (Recommended)

There are several steps required to prepare for the use of MFA with Office 365 backups, which we aim to provide a simplified step by step guide to ensure that you are on your way in no time! The following is a list of the details we will be running through in this guide:

  • Registering an application in Azure Active Directory
  • Obtaining the Application ID
  • Creating and obtaining a client application secret
  • Setting up a new MFA user account solely for backups
  • Assigning the required roles for the newly created user account
    1. Log into the Azure Active Directory admin centre and navigate to "Properties", which is shown on the left-hand panel:
      1. At the bottom of the screen, select "Manage Security defaults".
      2. Ensure that the option "No" is selected and click save if adjustments were made. 
        Editing properties
        Enable security defaults
    2. Navigate to App registrations and select New registration:


    3. Insert your desired name, select the option Accounts in this organisational directory only, followed by Register.
    4. Once registered, you will need to grant your application with the required permissions. Select Overview followed by View API Permissions:
    5. Assign the Microsoft Graph Permissions
      1. Select Add a permission:
        Add a permission-1
      2. Within the wizard, select Microsoft Graph followed by Application permissions:

      3. Navigate through the permissions list, apply the permissions Directory.Read.All, TeamSettings.ReadWrite.All and Group.Read.All, as Application.
        Directory read all
        TEAMSETTINGS.READ
        gROUP READ ALL
    6. Assign the SharePoint Permission
      1. Select Add a permission:
        Add a permission-1
      2. Select SharePoint from the Wizard listed, and select application permissions
        request apis - sharepoint

      3. Navigate to the Sites.FullControl.All and User.Read.All and select those, clicking 'Add permissions' to finalise this change
        sharepoint perms
    7. Assign the Exchange Permissions
      1. Whilst signed into the Azure Portal as a Global Admin account, navigate to Azure Active Directory.
      2. Within the left-hand panel, select "App registrations", followed by selecting the O365 application for your backups.
      3. click "Add a Permission".
        Add a permission-1

      4. Navigate to the tab "APIs my organization uses".
        APIs my org uses
      5. Search for "Office 365 Exchange Online", and select "Application permissions".
        Request api permissions delegated and applicatino
      6. Within the heading "Other permissions", select the full_access_as_app permission and click "Add permissions" at the bottom of the screen.
        Full access app selection

    8. Under the option Grant consent, select “Grant admin consent for…”:
    9. Confirm that Admin consent has been granted and then select Overview:
      Perm list-1

    10. Take note of the Application ID in a way that you can easily refer back to (Application ID – ExampleValue), as this is required for adding MFA to Probax Hive:
    11. In order to create an Application Secret, navigate to Certificates & Secrets followed by + New client secret.
    12. Insert the desired description and select an expiry date within the wizard, then select Add.
    13. You will notice an Application Secret ID, similar to what is shown below. It is important to take note of this ID in a way that you can easily refer back to this value (Application Secret – ExampleValue).
    14. Navigate back to the Azure Active directory admin center dashboard, select Users – All users followed by selecting New user.
    15. Create your Probax O365 backup user, ensuring that you include the roles Exchange Administrator and SharePoint Administrator under Directory role.
    16. Once the account has been created, select Multi-Factor Authentication within the All users:

    17. Select the account and Enable MFA for the account.
    18. Return to the Microsoft Admin Portal, select the Admin Centers drop-down and select Exchange.
    19. Navigate to Permissions and select the + symbol to create a new admin role.

    20. Enter the desired name for the new role, add the ApplicationImpersonation role, add the newly created backup account as a member then hit Save.
    21. Finally, to obtain the App Password, sign into the newly created account in Microsoft Office 365, and proceed to add additional security verification to the account. It is important to take note of this password in a way that you can easily refer back to this value (App password – ExampleValue).

    At this point, it's essential we check some (normally) default settings to ensure these don't hold the organisation going through. The following is a setting that still applies to MFA-Organisations, despite the nomenclature by Microsoft.


    Applications that don't use MFA

    Head to the SharePoint Online admin centre:

    1. Select the "Policies" dropdown menu
    2. Click "Access Control"
    3. Select the heading "Apps that don't use modern authentication".
    4. Ensure that that the option "Allow" is selected and
    5. click "Save" if any adjustments were made.
    Access Controlls to allow cropped
    Access Controlls to allow cropped step 5

    Linking your organisation account on Hive

    1. Log into Probax Hive.
    2. Within the right-hand panel, select the Accounts tab and navigate to the desired account. (In the event you do not yet have an account for your organisation, simply select Create New Account near the upper-right section of the site).
    3. Select the option Manage Storage Spaces at the upper-right corner of the site within the Resources tab.
    4. Select the option Add New Storage Space.
    5. Navigate to the Microsoft 365 section and fill in the required details.
    6. Once the account has been successfully added, your organisation will appear similar to what is shown below.

     

    Create an Microsoft 365 Backup with Simple Authentication

    Permissions:

    There are several permission requirements for your Office 365 Backup to function correctly. These permissions are:

    • Application Impersonation role - to get items from users. To allow this role assignment, the account must be granted the Organization Management permission.
    • Organizations Configuration role - To manage role assignments.
    • View-Only Configuration role - to obtain the necessary organization configuration parameters.
    • View-Only Recipients role - to view the list of mailbox recipients.
    • Role Management role - to manage and verify role assignments.
    • MailboxSearch or MailRecipients - to backup groups.
    • SharePoint Administrator role - to get items from SharePoint.

    If the above roles are not granted, further processing will not be possible. The above roles can be assigned by using either of the following methods:

    1. Using the Microsoft Admin Portal.
    2. Manually, by using Exchange Management PowerShell cmdlets.

    Ensure that your admin user has the appropriate permissions to access all Mailboxes, OneDrives, and Sharepoint Sites. Please note that we are not responsible for data that has not been backed up because of incorrect setup.

    It is a best practice to create a separate Office 365 Admin Group and Service Account that contains the least amount of roles and is utilised purely for the Office 365 Backup connection. Further information on why this is best practice can be found in Overview: Backup for Office 365 Performance & Limitations. In order to action this, we have included instructions for both the O365 Admin Portal and via a PowerShell script.

    To apply the required permissions via the Microsoft Admin Portal:

    1. Open the Microsoft Admin Portal.
    2. Select the Admin Centers dropdown, and select Exchange.
    3. On the left hand menu, select Permissions.
    4. Under the Admin Roles menu, select Add Add icon and provide a new name for our custom O365 Permissions Group.
    5. Select the Application Impersonation, Organizations Configuration, View-Only Configuration, View-Only Recipients, Role Management, MailboxSearch and MailRecipients roles to this permission group, and assign your designated O365 account as a member to this permission group.
    6. Save the group.
    7. Return to the Microsoft Admin Portal.
    8. Select Users on the left-hand side menu, and select Active Users.
    9. Select the user that you are assigning permissions for.
    10. On the menu that opens, locate Roles and select Edit.
    11. Select Customized administrator, and select SharePoint administrator.


      You have now set all required permissions for Probax O365 Backups.
    
    

    Linking your organisation account on Hive

    1. Log into Probax Hive.
    2. Within the right-hand panel, select the Accounts tab and navigate to the desired account. (In the event you do not yet have an account for your organisation, simply select Create New Account near the upper-right section of the site).
    3. Select the option Manage Storage Spaces at the upper-right corner of the site within the Resources tab.
    4. Select the option Add New Storage Space.
    5. Navigate to the Office 365 section. Select Change to Basic Authentication at the top of the wizard and fill in the required details.
    6. Once the account has been successfully added, your organisation will appear similar to what is shown below.

    Congratulations! Your O365 backup job has now been created, and you are ready to begin configuring this organisation's job. Head to this knowledge base article for more information on how to begin adding users and changing your settings.