1. Knowledge Base
  2. Microsoft 365 Backup & Archive

How to: Microsoft 365 Backup & Archive

How to set permissions, link your organisation, configure the backup and restore data

Before You Get Started:

From accidental deletion of accounts and data to malicious intent, here at Probax we believe that you can never be too prepared for any disastrous scenarios. That is why we support backups for Microsoft 365. 

Licensing:

Please review our Microsoft 365 Backup & Archive FAQ to understand how the solution works and correctly license the solution. Please note that failure to license the solution correctly is in breach of our Acceptable Use Policy

Authentication

Microsoft 365 Backup & Archive supports the following authentication types:

Create a Microsoft 365 Backup with Modern Authentication (Recommended)

There are several steps required to prepare for the use of MFA with Office 365 backups, which we aim to provide a simplified step by step guide to ensure that you are on your way in no time! The following is a list of the details we will be running through in this guide:

  • Registering an application in Azure Active Directory
  • Obtaining the Application ID
  • Creating and obtaining a client application secret
  • Setting up a new MFA user account solely for backups
  • Assigning the required roles for the newly created user account
  1. Log into the Azure Active Directory admin center, navigate to App registrations and select New registration:
    Register Application

  2. Insert your desired name, select the option Accounts in this organisational directory only, followed by Register.
  3. Once registered, you will need to grant your application with the required permissions. Select Overview followed by View API Permissions:
    View API Permissions
  4. Select Add a permission:
    Add a Permission
  5. Within the wizard, select Microsoft Graph followed by Application permissions:
    Microsoft Graph APIApplication Permissions
  6. Navigate through the permissions list, apply the permissions Read.All and Group.Read.All, and select Add permissions.
  7. Under the option Grant consent, select “Grant admin consent for…”:
    Grant Permission For
  8. Confirm that Admin consent has been granted and then select Overview:
    Grant Admin Consent
  9. Take note of the Application ID in a way that you can easily refer back to (Application ID – ExampleValue), as this is required for adding MFA to Probax Hive:
    Application ID
  10. In order to create an Application Secret, navigate to Certificates & Secrets followed by + New client secret.
    Add New Secret
  11. Insert the desired description and select an expiry date within the wizard, then select Add.
    Secret Expiration
  12. You will notice an Application Secret ID, similar to what is shown below. It is important to take note of this ID in a way that you can easily refer back to this value (Application Secret – ExampleValue).
    Customer Secret
  13. Navigate back to the Azure Active directory admin center dashboard, select Users – All users followed by selecting New user.
    Add New User
  14. Create your Probax O365 backup user, ensuring that you include the roles Exchange Administrator and SharePoint Administrator under Directory role.
    Select Roles
  15. Once the account has been created, select Multi-Factor Authentication within the All users:
    Enable MFA
  16. Select the account and Enable MFA for the account.
    enable MFA
  17. Return to the Microsoft Admin Portal, select the Admin Centers drop-down and select Exchange.
    Exchange Center
  18. Navigate to Permissions and select the + symbol to create a new admin role.

    Add New Role
  19. Enter the desired name for the new role, add the ApplicationImpersonation role, add the newly created backup account as a member then hit Save.
    Application Impersonation
  20. Finally, to obtain the App Password, sign into the newly created account in Microsoft Office 365, and proceed to add additional security verification to the account. It is important to take note of this password in a way that you can easily refer back to this value (App password – ExampleValue).
    Additional Security
    Additional Security Verification

Linking your organisation account on Hive

  1. Log into Probax Hive.
  2. Within the right-hand panel, select the Accounts tab and navigate to the desired account. (In the event you do not yet have an account for your organisation, simply select Create New Account near the upper-right section of the site).
    Create New Account
  3. Select the option Manage Storage Spaces at the upper-right corner of the site within the Resources tab.
    Resources Tab
  4. Select the option Add New Storage Space.
    Add New Storage Space
  5. Navigate to the Microsoft 365 section and fill in the required details.
    Veeam Authentication Screen
  6. Once the account has been successfully added, your organisation will appear similar to what is shown below.
    Finalised Account

 

Create an Microsoft 365 Backup with Simple Authentication

Permissions:

There are several permission requirements for your Office 365 Backup to function correctly. These permissions are:

  • Application Impersonation role - to get items from users. To allow this role assignment, the account must be granted the Organization Management permission.
  • Organizations Configuration role - To manage role assignments.
  • View-Only Configuration role - to obtain the necessary organization configuration parameters.
  • View-Only Recipients role - to view the list of mailbox recipients.
  • Role Management role - to manage and verify role assignments.
  • MailboxSearch or MailRecipients - to backup groups.
  • SharePoint Administrator role - to get items from SharePoint.

If the above roles are not granted, further processing will not be possible. The above roles can be assigned by using either of the following methods:

  1. Using the Microsoft Admin Portal.
  2. Manually, by using Exchange Management PowerShell cmdlets.

Ensure that your admin user has the appropriate permissions to access all Mailboxes, OneDrives, and Sharepoint Sites. Please note that we are not responsible for data that has not been backed up because of incorrect setup.

It is a best practice to create a separate Office 365 Admin Group and Service Account that contains the least amount of roles and is utilised purely for the Office 365 Backup connection. Further information on why this is best practice can be found in Overview: Backup for Office 365 Performance & Limitations. In order to action this, we have included instructions for both the O365 Admin Portal and via a PowerShell script.

To apply the required permissions via the Microsoft Admin Portal:

  1. Open the Microsoft Admin Portal.
  2. Select the Admin Centers dropdown, and select Exchange.

    MS Exchange

  3. On the left hand menu, select Permissions.


    Permissions

  4. Under the Admin Roles menu, select Add Add icon and provide a new name for our custom O365 Permissions Group.
  5. Select the Application Impersonation, Organizations Configuration, View-Only Configuration, View-Only Recipients, Role Management, MailboxSearch and MailRecipients roles to this permission group, and assign your designated O365 account as a member to this permission group.


    O365 Backup Permissions

  6. Save the group.
  7. Return to the Microsoft Admin Portal.
  8. Select Users on the left-hand side menu, and select Active Users.

    Office 365 Select Active Users

  9. Select the user that you are assigning permissions for.

    Select O365 User for Permissions

  10. On the menu that opens, locate Roles and select Edit.

    Edit Roles

  11. Select Customized administrator, and select SharePoint administrator.

    Select SharePoint Administrator

    You have now set all required permissions for Probax O365 Backups.

You can also perform the above through Powershell:

#############################################
### Creating an Office 365 Service Account ###
#############################################
# THE FOLLOWING SCRIPT IS TO BE UTILIZED AS AN EXAMPLE AND NO WARRANTIES OR SUPPORT ARE PROVIDED
# RUN PowerShell ISE as Administrator

#Gets your Office 365 Admin Credentials for authentication
$credential = Get-Credential

#Connects to the MSOnline Service with the credentials provided
Connect-MsolService -Credential $credential

#Imports the AzureAD Module which provides the MSOnline Module
# https://docs.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory
Import-Module AzureAD

#Imports the MSOnline PowerShell Module
Import-Module MSOnline

#Imports the Exchange Online PowerShell cmdlets into the PowerShell session
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $credential -Authentication "Basic" -AllowRedirection
Import-PSSession $exchangeSession -DisableNameChecking -AllowClobber

#SVCAccount First Name
Write-Host -ForegroundColor Yellow 'Enter your Service Account First Name'
$FirstName = Read-Host

#SVCAccount Last Name
Write-Host -ForegroundColor Yellow 'Enter Your Service Account Last Name'
$LastName = Read-Host

#SVCAccount Account in Proper Email Form
Write-Host -ForegroundColor Yellow 'Enter your Service Account UPN - ex - example@probax.io Format please'
$UPN = Read-Host
$DisplayName = $FirstName + " " + $LastName

#Super Secret Password shhhhhh...
Write-Host -ForegroundColor Yellow 'Enter your Service Account Password'
$Password = Read-Host

#Creates the New user and applies an O365 License
New-MsolUser -DisplayName $DisplayName -FirstName $FirstName -LastName $LastName -UserPrincipalName $UPN -Password $Password -LicenseAssignment "LicName:ENTERPRISEPACK" -UsageLocation US -UserType Member -ForceChangePassword $false

#Creates the new role group with the proper VBO365 Permissions
New-RoleGroup -Name $DisplayName -DisplayName $DisplayName -Roles "ApplicationImpersonation", "View-Only Recipients", "View-Only Configuration", "Role Management", "Mail Recipients"

#Adds the user to the role group
Add-RoleGroupMember $DisplayName -Member $UPN

Connect-MsolService
$role=Get-MsolRole -RoleName "SharePoint Service Administrator"
Add-MsolRoleMember -RoleMemberEmailAddress $UPN -RoleName $role.Name

Linking your organisation account on Hive

  1. Log into Probax Hive.
  2. Within the right-hand panel, select the Accounts tab and navigate to the desired account. (In the event you do not yet have an account for your organisation, simply select Create New Account near the upper-right section of the site).
    Create New Account
  3. Select the option Manage Storage Spaces at the upper-right corner of the site within the Resources tab.
    Resources Tab
  4. Select the option Add New Storage Space.
    Add New Storage Space
  5. Navigate to the Office 365 section. Select Change to Basic Authentication at the top of the wizard and fill in the required details.
    Simple Authentication
  6. Once the account has been successfully added, your organisation will appear similar to what is shown below.
    Finalised Account

Selecting Items to Backup

After adding your Office 365 Backup, you need to select which items that you’d like to protect. To perform this:

      1. Within the Resources section on your account, select Actions followed by Configure Protection.
        Configure Protection
      2. For Mailbox and OneDrive accounts, simply select whether you would like to backup the account by adjusting the switch to Once this is selected, the backup will begin processing on the next scheduled backup.
        Enable Backups
      3. To backup SharePoint sites, navigate to the Show Sharepoints tab at the top of the wizard and select the sites that you wish to backup. Once selected, the backup will begin processing on the next scheduled backup.
        Enable Sharepoint

Ensure that your admin user has the appropriate permissions to access all Mailboxes, OneDrives, and Sharepoint Sites. Please note that we are not responsible for data that has not been backed up because of incorrect setup.

Further Configuration

You can access further configuration settings by navigating to the Configure Protection section and selecting the Show Settings tab within the upper-right corner of the wizard.

Show Settings

The following details briefly describes the outcome of selecting each option:

Set backup for all current Mailboxes

When enabled, this option will allow you to adjust all current Mailboxes to be selected for backups. Alternatively, the option Disabled will remove the Mailboxes that have already been selected.

Set backup for all current OneDrives

When enabled, this option will allow you to adjust all current OneDrives to be selected for backups. Alternatively, the option Disabled will remove the OneDrives that have already been selected.

Set backup for all current Organisation SharePoint Sites

When enabled, this option will allow you to adjust all current SharePoint to be selected for backups. Alternatively, the option Disabled will remove the SharePoint sites that have already been selected.

Auto-backup new Mailboxes

When enabled, this option will allow you to automatically backup any new Mailboxes created within this organization.

Auto-backup new OneDrives

When enabled, this option will allow you to automatically backup any new OneDrives created within this organization.

Auto-backup new Sharepoint Sites

When enabled, this option will allow you to automatically backup any new Sharepoints created within this organization.

Set new Authentication details for Organization

Selecting either Modern Auth or Basic Auth will allow you to update the credential and/or account that is being used to manage these backups.

Unlink Organization and delete all data

Choosing this will remove the Office 365 backups from Probax Hive.

Office 365 Performance and Limitations

Time taken to do first backup
Your first backup will start at the next backup window, which occur every 4 hours. The time to perform the initial backup will vary depending on number of Mailboxes, OneDrives and Sharepoint Sites that are chosen. Microsoft can also have a very aggressive bandwidth throttling algorithm which we have no control over. For large Organizations the first backup may take as long as a week.

How many backups are performed
We will perform at most 6 automatic daily backups. Again, this varies depending on the factors above. You can force a backup at any time, though this will stop any backup currently in progress in order to take a new backup.

 

For technical support questions, please contact support@probax.io

For sales and product information, contact your Partner Manager.