Create Backup Set
Microsoft 365 Backup allows you to backup your Outlook, OneDrive, Personal Site and Public Folders from your Microsoft 365 account.
Requirements
You are strongly recommended to configure or check all the settings below to confirm all the requirements are met before you proceed with the Microsoft 365 backup and restoration:
- Make sure that the latest version of CloudBacko Lite is installed on your computer with Internet access for connection to your Microsoft 365 account.
- Upgrade VMware Tools - To avoid unexpected java crash, if the Windows machine is a guest VM hosted on a VMware Host then it is highly recommended that the VMware tools version installed on the guest VM must be 10.0.5 or above.
- Make sure that the Microsoft 365 Backup feature has been enabled as an add-on module in your CloudBacko Lite user account and there is enough Microsoft 365 Backup license quota to cover the backup of your users.
The licenses for the Microsoft 365 module are calculated by the number of unique licensed or unlicensed Microsoft 365 user accounts.
If same Microsoft 365 account is backed up on multiple backup sets with a CloudBacko Lite user account would be counted as one Microsoft 365 license.
- Each licensed or unlicensed Microsoft 365 user account selected for backup requires one Microsoft 365 license.
- Each Equipment Mailbox, Room Mailbox, or Shared Mailbox selected for backup requires one Microsoft 365 license.
- If just only SharePoint Sites under the Site Collections and/or files of folders under Public Folder are selected for backup, this requires only one Microsoft 365 license.
- As CloudBacko Lite licenses are calculated on a per device basis:
- To backup users with one (1) backup client computer.
For example, if one CloudBacko Lite is installed then, one CloudBacko Lite license is required.
- To backup users with multiple backup client computers, the number of CloudBacko Lite licenses required is equal to the number of devices.
For example, if there are ten (10) backup sets to backed-up across three (3) backup client computers, then 3 CloudBacko Lite licenses are required.
- Backup Quota Requirement - Make sure that your CloudBacko Lite user account has sufficient quota assigned to accommodate the storage of the Microsoft 365 users for the new backup set and retention policy.
- A licensed Exchange Administrator or a licensed user with Public Folder permission is required otherwise you will not be able to access the public folder to select items for backup or restore.
- The default Java heap setting 2048M, is sufficient for Microsoft 365 backups based on the default 4 concurrent backup threads.
The Java heap size should only be increased if the number of current backup threads is increased as more backup threads is expected to consume more memory. But this does not guarantee that the overall backup speed will be faster since there will be an increased chance of throttling.
As the value of 4 concurrent backup threads is found to be the optimal setting for Microsoft 365 backups, to ensure best backup performance, minimal resource usage, and lowest probability of throttling of backup requests by Microsoft 365.
- The following subscription plans with Microsoft 365 email services are supported to run backup and restore on CloudBacko Lite.
Microsoft 365 Business |
Microsoft 365 Business Essentials |
Microsoft 365 Business Premium |
Microsoft 365 Entrprise E1 |
Microsoft 365 Entrprise E3 |
Microsoft 365 Entrprise E4 |
Microsoft 365 Entrprise E5 |
Microsoft 365 Education |
- Make sure your Microsoft 365 subscription with Microsoft is active in order to enjoy all privileges that come along with our backup services. If your account has expired, renew it with Microsoft as soon as possible so that you can continue to enjoy the Microsoft 365 backup services.
When your account is expired, depending on your role, certain access restrictions will be applied to your account.
Refer to the URL for more details: https://support.office.com/en-us/article/What-happens-to-my-data-and-access-when-my-Office-365-for-business-subscription-ends-4436582f-211a-45ec-b72e-33647f97d8a3#BKMK_TrialEnds
- Microsoft 365 Permission Requirements - The basic permissions required by a Microsoft user account for authentication of a Microsoft 365 backup set is as follows:
Global Admin Role
Starting with CloudBacko Lite v4.1.4.0 or above, the Microsoft 365 account used for authentication must have Global Admin Role, since Modern Authentication will be used. This is to ensure that the authorization configuration requirements will be fulfilled (e.g. connect to Microsoft Azure AD to obtain the App Access Token). To assign the role, please refer to Assigning Global Admin Role to Accounts.
A member of Discovery Management security group
The Discovery Management security group must be assigned the following roles. To assign the role, please refer to Granting Permission to Discovery Management Group.
- Mailbox Search
- Public Folders
Otherwise, proceed to grant all necessary permissions to the Microsoft user account as shown in the following instructions.
Assigning Global Admin Role to Accounts
To assign the Global Admin role to accounts, follow the steps below:
- Click the App launcher in the upper left side then click Admin to go to the Microsoft 365 admin center.
- In the Microsoft 365 admin center, on the left panel click Users. Find the user you want to assign the Global Admin and select Manage roles.
- In the Manage roles window, select Admin center access then check the box beside Global admin. Click Save Changes to save the role you assigned.
Granting Permission to Discovery Management Group
This permission allows users added under the Members section of the Discovery Management group (refer to Granting Permission to Accounts for Creating Backup Set) to back up and/or restore user item(s) not only for their own account, but also the accounts of other users in the same Members section.
- Open https://outlook.office365.com/ecp.
- Log in to the Microsoft 365 as an account administrator.
- Select the permissions menu on the left, then double click on Discovery Management on the right.
- Click the [+] icon under the Roles section. These are the following roles:
- Mailbox Search
- Public Folders
- Click Save to confirm and exit the setting.
Granting Permission to Accounts for Creating Backup Set
- Open https://outlook.office365.com/ecp.
- Log in to the Microsoft 365 as an account administrator.
- Select the permissions menu on the left, then double click on Discovery Management on the right.
- You can now add users to this group. Click the [+] icon under the Members section.
- Look for the username(s) of the account that you would like to add permission for, then click add > OK to add the corresponding user(s) to the permission group.
- Click Save to confirm and exit the setting.
- Data Synchronization Check (DSC) Setup - To compensate for the significant backup performance increase, there is a tradeoff made by the Change Key API, which skips the checking of de-selected files in the backup source, which over time can result in a discrepancy between the items or files/folders selected in the backup source and those in the backup destination(s).
To overcome this, it is necessary in some cases to run a Data Synchronization Check (DSC) periodically, so that it will synchronize the data in the backup source and backup destination(s) to avoid data build-up and free up storage quota.
|
Enabled |
Disabled |
Backup Time |
Since data synchronization check is enabled, it will only run on the set interval.
For example, the default number of interval is 60 days.
The backup time for the data synchronization job will take longer than the usual backup as it is checking the de-selected files and/or folders in the backup source and data in the backup destination(s)
|
As data synchronization check is disabled, the backup time will not be affected. |
Storage |
Management of storage quota will be more efficient as it will detect items that are de-selected and move it to retention and will be removed after it exceeds the retention policy freeing up the storage quota. |
Management of storage quota will be less efficient even though files and/or folders are already de-selected from the backup source, these files will remain in the data area of backup destination(s). |
- Authentication - To comply with Microsoft’s product roadmap for Microsoft 365, from CloudBacko Lite v4.1.4.0 or above, Basic Authentication (Authentication using Microsoft 365 login credentials) will no longer be utilized. Instead all new Microsoft 365 backup sets created will use Modern Authentication.
Since the second half of 2021, it will be a mandatory requirement for organizations still using Basic Authentication or Hybrid Authentication to migrate to Modern Authentication.
Modern Authentication provides a more secure user authentication by using app token for authentication aside from using the Microsoft 365 login credentials. In order to use Modern Authentication, the Microsoft 365 account is registered under Global region and the Microsoft 365 backup is configured to use Global region. As both Germany and China region do not support Modern Authentication.
Existing backup sets using Basic Authentication can be migrated to Modern Authentication. However, once the authentication process is completed, the authentication can never be reverted back to Basic Authentication. For more information on how to migrate to Modern Authentication please refer to this link Migrating Authentication of Microsoft 365 Backup Set. After the upgrade to CloudBacko Lite v5 or above, the backup and restore process of existing Microsoft 365 backup sets still using Basic Authentication will not be affected during this transition period since Modern Authentication is not yet enforced by Microsoft.
To check the current authentication being used in your Microsoft 365 backup set, see criteria below:
- Basic Authentication - If you click on the backup set and a pop up message is displayed, then the backup set is using Basic Authentication.
- Modern and Hybrid Authentication - If you click on the backup set there is no pop up message displayed then the backup set is using either Modern or Hybrid Authentication.
Supported Services
These are the supported services of Microsoft 365 Backup module
Services |
Supported |
Services |
Supported |
Outlook |
✔ |
Yammer |
✖ |
OneDrive |
✔ |
Microsoft Stream |
✖ |
SharePoint |
✖ |
Power BI |
✖ |
Microsoft Teams |
✔ |
Microsoft Power Apps |
✖ |
These are the supported Outlook Mailbox types of Microsoft 365
Item |
Supported |
Item |
Supported |
Archive Mailbox |
✖ |
Distribution Group |
✖ |
Dynamic Distribution Group |
✖ |
Equipment Mailbox |
✔ |
Microsoft 365 Group |
✖ |
Public Folder |
✔ |
Public Folder Mailbox |
✖ |
Room Mailbox |
✔ |
Security Group |
✖ |
Shared Mailbox |
✔ |
User Mailbox |
✔ |
These are the supported items that you can back up and restore from an Outlook Mailbox
Item |
Supported |
Item |
Supported |
Archive |
✔ |
Calendar |
✔ |
Clutter |
✔ |
Companies |
✖ |
Contacts |
✔ |
Conversion History |
✖ |
Deleted Items |
✔ |
Draft |
✔ |
External Contacts |
✖ |
GAL Contacts |
✖ |
Inbox |
✔ |
Journal |
✖ |
Junk Email |
✔ |
Notes |
✔ |
Organizational Contacts |
✖ |
Outbox |
✖ |
PeopleCentricConversation Buddies |
✖ |
PersonMetaData |
✖ |
Recipient Cache |
✖ |
RSS Feeds |
✔ |
Search Folders |
✖ |
Sent Items |
✔ |
Social Activity Notifications |
✖ |
Sync Issues |
✖ |
Tasks |
✔ |
Trah |
✔ |
These are the supported items that you can back up and restore from OneDrive
Item |
Supported |
Item |
Supported |
Folders |
✔s |
Files |
✔ |
Access Permissions |
✔ |
Albums |
✖ |
Recycle Bin |
✖ |
Tag |
✖ |
These are the supported Items that you can back up and restore from the Public Folder of a Microsoft 365 backup set.
Item |
Supported |
Item |
Supported |
Folders |
✔ |
Files |
✔ |
Maximum Supported File Size
The following table shows the maximum supported file size per item for backup and restore of each service.
Service |
Maximum File Size |
Outlook -with or without attachments -(applies to User mailbox, Room mailbox, Shared mailbox, Equipment mailbox) |
150 MB |
Public Folders -with or without attachments |
150 MB |
OneDrive |
8 GB |
Personal Site |
8 GB |
Limitations
- Each CloudBacko Lite backup user account supports backup of a maximum of TWO Microsoft 365 personal accounts.
- OneDrive
- Backup and restore of file share links will be supported for OneDrive and SharePoint Documents only, and only for restore to the same Microsoft 365 organization.
- Backup and restore of all versions will be supported for OneDrive and SharePoint Documents only, except for ".aspx" files.
- Outlook
- For Outlook mail item, after using restore to original location to overwrite a mail item (and hence ID of the mail is changed), then in the backup source tree of the same backup set:
- the original ticked item still uses the old mail ID to reference and becomes red item.
- there is another item (with the latest mail ID) created for that mail item.
- User will need to de-select the red item and tick the mail item again in the backup source tree in order to do the next backup properly. As per development team, the issue will not be handled as user's selected source should not be modified by the system.
- Modern Authentication is only supported for Microsoft 365 account that is registered in Global region and the Microsoft 365 backup is configured to use Global region.
- Backup sets using Modern Authentication cannot backup .aspx version file.
- Due to limitations in Microsoft API, when using Modern Authentication, backup and restore of SharePoint Web Parts and Metadata are not fully supported.
- Backup sets using Modern Authentication does not support restore of some list settings, currently knows as Survey Options on survey list.
Best Practices and Recommendation
The following are some best practices and recommendation we strongly recommend you follow before you start any Microsoft 365 backup and restore.
- Temporary directory folder is used by CloudBacko Lite for storing backup set index files and any backup files generated during a backup job.
To ensure optimal backup/restoration performance, it is recommended that the temporary directory folder is set to a local drive with sufficient free disk space.
- Performance Recommendation - Consider the following best practices for optimized performance of the backup operations:
- Enable scheduled backup jobs when system activity is low to achieve the best possible performance.
- Perform test restores periodically to ensure your backup is set up and performed properly.
Performing recovery test can also help identify potential issues or gaps in your recovery plan.
It's important that you do not try to make the test easier, as the objective of a successful test is not to demonstrate that everything is flawless.
There might be flaws identified in the plan throughout the test and it is important to identify those flaws.
- Backup Destination - To provide maximum data protection and flexible restore options, it is recommended to configure:
- At least one offsite or cloud destination
- At least one local destination for fast recovery
- Periodic Backup Schedule - The periodic backup schedule should be reviewed regularly to ensure that the interval is sufficient to handle the data volume on the machine.
Over time, data usage pattern may change on a production server, e.g. the number of new files created, the number of files which are updated/deleted, and new users may be added etc.
- Large number of Microsoft 365 users to Backup - It is recommended to divide the users into multiple backup sets.
A single Microsoft 365 backup set should not contain more than 2,000 Microsoft 365 users.
That is assuming that only small incremental daily changes will be made on the Run on Client backup set.
By splitting up all the users into separate backup sets, the more backup sets, the faster the backup process can finish.
- Concurrent Backup Thread - The value of 4 concurrent backup threads is found to be the optimal setting for Microsoft 365 backups, to ensure best backup performance, minimal resource usage, and lowest probability of throttling of backup requests by Microsoft 365.
- Authentication - Although Microsoft has moved the enforcement date for Modern Authentication from end of 2020 to the second half of 2021, since this new authentication is already available starting with CloudBacko Lite v4.1.4.0 or above, it is recommended that backup sets are migrated to Modern Authentication. All newly created Microsoft 365 backup sets on CloudBacko Lite v5.3.2.0 or above automatically use Modern Authentication.
Creating a Microsoft 365 Backup Set
Name |
The name of the backup set.
|
Backup set type |
The backup set type, i.e. Microsoft 365 Backup
|
Access the Internet through Proxy |
Checkbox will be ticked if proxy will be used to access the internet, cannot be edited.
|
To create a backup set:
- Enter a backup set name.
- Select the backup set type.
- Optional: Check the 'Access the Internet through proxy' checkbox.
- Click the [Test] button.
- Click the [Authorize] button to start the authentication process.
- Sign in to your Microsoft account.
If MFA is enforced for the Microsoft 365 user account used to authenticate the backup set, select to verify either by "Text" or "Call".
- If "Text" was selected, enter the code and click [Verify]
- If "Call" was selected, answer the call and follow the instructions to verify.
Note: Verification is only required if the MFA status of a Microsoft 365 account is enforced.
- Copy the authorization code.
- Go back to CloudBacko Lite and paste the authorization code then click the [OK] button to proceed.
- The confirmation message Test completed successfully will be shown when CloudBacko Lite is connected to the Microsoft 365 account successfully.
- Click the [Next] button to proceed.