Create Backup Set
Microsoft 365 Backup allows you to backup your Outlook, OneDrive, Personal Site, Teams, Sharepoint Sites and Public Folders from your Microsoft 365 account.
Requirements
You are strongly recommended to configure or check all the settings below to confirm all the requirements are met before you proceed with the Microsoft 365 backup and restoration:
- Make sure that the latest version of CloudBacko Pro is installed on your computer with Internet access for connection to your Microsoft 365 account.
- Upgrade VMware Tools - To avoid unexpected java crash, if the Windows machine is a guest VM hosted on a VMware Host then it is highly recommended that the VMware tools version installed on the guest VM must be 10.0.5 or above.
- Backup Quota Requirement - Make sure that your CloudBacko Pro user account has sufficient quota assigned to accommodate the storage of the Microsoft 365 users for the new backup set and retention policy.
- The default Java heap setting 2048M, is sufficient for Microsoft 365 backups based on the default 4 concurrent backup threads.
The Java heap size should only be increased if the number of current backup threads is increased as more backup threads is expected to consume more memory. But this does not guarantee that the overall backup speed will be faster since there will be an increased chance of throttling.
As the value of 4 concurrent backup threads is found to be the optimal setting for Microsoft 365 backups, to ensure best backup performance, minimal resource usage, and lowest probability of throttling of backup requests by Microsoft 365.
- The following subscription plans with Microsoft 365 email services are supported to run backup and restore on CloudBacko Pro.
Microsoft 365 Business |
Microsoft 365 Business Essentials |
Microsoft 365 Business Premium |
Microsoft 365 Entrprise E1 |
Microsoft 365 Entrprise E3 |
Microsoft 365 Entrprise E4 |
Microsoft 365 Entrprise E5 |
Microsoft 365 Education |
- Make sure your Microsoft 365 subscription with Microsoft is active in order to enjoy all privileges that come along with our backup services. If your account has expired, renew it with Microsoft as soon as possible so that you can continue to enjoy the Microsoft 365 backup services.
When your account is expired, depending on your role, certain access restrictions will be applied to your account.
Refer to the URL below for more details: https://support.office.com/en-us/article/What-happens-to-my-data-and-access-when-my-Office-365-for-business-subscription-ends-4436582f-211a-45ec-b72e-33647f97d8a3#BKMK_TrialEnds
- Microsoft 365 Permission Requirements for CloudBacko Pro - The basic permissions required by a Microsoft user account for authentication of a CloudBacko Pro Microsoft 365 backup set is as follows:
- Global Admin Role
Starting with CloudBacko Pro v4.1.4.0 or above, the Microsoft 365 account used for authentication must have Global Admin Role, since Modern Authentication will be used. This is to ensure that the authorization configuration requirements will be fulfilled (e.g. connect to Microsoft Azure AD to obtain the App Access Token). To assign the role, please refer to Assigning Global Admin Role to Accounts.
- Term Store Administrator Role
The Term Store Administrator Role may be required for backup and restore of SharePoint items. To assign the role, please refer to Granting Term Store Administrator Role.
- A member of Discovery Management security group
The Discovery Management security group must be assigned the following roles. To assign the role, please refer to Granting Permission to Discovery Management Group.
- ApplicationImpersonation
- Legal Hold
- Mailbox Import Export
- Mailbox Search
- Public Folders
Otherwise, proceed to grant all necessary permissions to the Microsoft user account as shown in the following instructions.
Assigning Global Admin Role to Accounts
To assign the Global Admin role to accounts, follow the steps below:
- Click the App launcher in the upper left side then click Admin to go to the Microsoft 365 admin center.
- In the Microsoft 365 admin center, on the left panel click Users. Find the user you want to assign the Global Admin and select Manage roles.
- In the Manage roles window, select Admin center access then check the box beside Global admin. Click Save Changes to save the role you assigned.
Granting Term Store Administrator Role
To add Term Store Administrator role to the Microsoft 365 user account used to authenticate the Microsoft 365 backup set.
- In the SharePoint admin center, under Content services, click Term store.
- In the tree view pane on the left, select the Taxonomy.
- In the Term store page, for Admins, select Edit. The Edit term store admins panel appears.
- Enter the names or email addresses of the Microsoft 365 user who you want to add as term store admins. Select Save.
Granting Permission to Discovery Management Group
This permission allows users added under the Members section of the Discovery Management group (refer to Granting Permission to Accounts for Creating Backup Set) to back up and/or restore user item(s) not only for their own account, but also the accounts of other users in the same Members section.
- Open https://outlook.office365.com/ecp.
- Log in to the Microsoft 365 as an account administrator.
- Select the permissions menu on the left, then double click on Discovery Management on the right.
- Click the [+] icon under the Roles section. These are the following roles:
- ApplicationImpersonation
- Legal Hold
- Mailbox Import Export
- Mailbox Search
- Public Folders
- Click Save to confirm and exit the setting.
Granting Permission to Accounts for Creating Backup Set
- Open https://outlook.office365.com/ecp.
- Log in to the Microsoft 365 as an account administrator.
- Select the permissions menu on the left, then double click on Discovery Management on the right.
- You can now add users to this group. Click the [+] icon under the Members section.
- Look for the username(s) of the account that you would like to add permission for, then click add > OK to add the corresponding user(s) to the permission group.
- Click Save to confirm and exit the setting.
Granting Permission to restore all share link types to alternate location in Microsoft 365
To successfully restore all share link types to alternate location of the same organization in Microsoft 365, follow the settings below:
- Allowing anonymous users to access application pages
- Click the App launcher, then click SharePoint.
- Click Settings > Site Settings.
- Under Site Collection Administration, click Site collection features.
- Deactivate "Limited-Access user permission lockdown mode" feature.
- Allowing sharing to external users
- Go to your Microsoft 365 Admin Center > All admin centers > in the right pane select SharePoint.
- Go to Policies > Sharing.
- Under External sharing the button must be in line with “Existing guests” and click Save.
- Data Synchronization Check (DSC) Setup - To compensate for the significant backup performance increase, there is a tradeoff made by the Change Key API, which skips the checking of de-selected files in the backup source, which over time can result in a discrepancy between the items or files/folders selected in the backup sources and those in the backup destination(s).
To overcome this, it is necessary in some cases to run a Data Synchronization Check (DSC) periodically, so that it will synchronize the data in the backup source and backup destination(s) to avoid data build-up and free up storage quota.
|
Enabled |
Disabled |
Backup Time |
Since data synchronization check is enabled, it will only run on the set interval.
For example, the default number of interval is 60 days
The backup time for the data synchronization job will take longer than the usual backup as it is checking the de-selected files and/or folders in the backup source and data in the backup destination(s)
|
As data synchronization check is disabled, the backup time will not be affected. |
Storage |
Management of storage quota will be more efficient as it will detect items that are de-selected and move it to retention and will be removed after it exceeds the retention policy freeing up the storage quota. |
Management of storage quota will be less efficient even though files and/or folders are already de-selected from the backup source, these files will remain in the data area of backup destination(s). |
- Authentication - To comply with Microsoft’s product roadmap for Microsoft 365, from CloudBacko Pro v4.1.4.0 or above, Basic Authentication (Authentication using Microsoft 365 login credentials) will no longer be utilized. Instead all new Microsoft 365 backup sets created will use Modern Authentication.
Since the second half of 2021, it will be a mandatory requirement for organizations still using Basic Authentication or Hybrid Authentication to migrate to Modern Authentication.
Modern Authentication provides a more secure user authentication by using app token for authentication aside from using the Microsoft 365 login credentials. In order to use Modern Authentication, the Microsoft 365 account is registered under Global region and the Microsoft 365 backup is configured to use Global region. As both Germany and China region do not support Modern Authentication.
Existing backup sets using Basic Authentication can be migrated to Modern Authentication. However, once the authentication process is completed, the authentication can never be reverted back to Basic Authentication. For more information on how to migrate to Modern Authentication please refer to this link Migrating Authentication of Microsoft 365 Backup Set. After the upgrade to CloudBacko Pro v5 or above, the backup and restore process of existing Microsoft 365 backup sets still using Basic Authentication will not be affected during this transition period since Modern Authentication is not yet enforced by Microsoft.
To check the current authentication being used in your Microsoft 365 backup set, see criteria below:
- Basic Authentication - If you click on the backup set and a pop up message is displayed, then the backup set is using Basic Authentication.
- Modern and Hybrid Authentication - If you click on the backup set there is no pop up message displayed then the backup set is using either Modern or Hybrid Authentication.
Supported Services
These are the supported services of Microsoft 365 Backup module
Services |
Supported |
Services |
Supported |
Outlook |
✔ |
Yammer |
✖ |
OneDrive |
✔ |
Microsoft Stream |
✖ |
SharePoint |
✔ |
Power BI |
✖ |
Microsoft Teams |
✔ |
Microsoft Power Apps |
✖ |
These are the supported Outlook Mailbox types of Microsoft 365
Item |
Supported |
Item |
Supported |
Archive Mailbox |
✖ |
Distribution Group |
✖ |
Dynamic Distribution Group |
✖ |
Equipment Mailbox |
✔ |
Microsoft 365 Group |
✖ |
Public Folder |
✔ |
Public Folder Mailbox |
✖ |
Room Mailbox |
✔ |
Security Group |
✖ |
Shared Mailbox |
✔ |
User Mailbox |
✔ |
These are the supported items that you can back up and restore from an Outlook Mailbox
Item |
Supported |
Item |
Supported |
Archive |
✔ |
Calendar |
✔ |
Clutter |
✔ |
Companies |
✖ |
Contacts |
✔ |
Conversion History |
✖ |
Deleted Items |
✔ |
Drafts |
✔ |
External Contacts |
✖ |
GAL Contacts |
✖ |
Inbox |
✔ |
Journal |
✖ |
Junk Emails |
✔ |
Notes |
✔ |
Organizational Contacts |
✖ |
Outbox |
✖ |
PeopleCentricConversation Buddies |
✖ |
PersonMetaData |
✖ |
Recipient Cache |
✖ |
RS Feed |
✔ |
Search Folders |
✖ |
Sent Items |
✔ |
Social Activity Notifications |
✖ |
Sync Issues |
✖ |
Tasks |
✔ |
Trash |
✔ |
These are the supported items that you can back up and restore from OneDrive
Item |
Supported |
Item |
Supported |
Folders |
✔ |
Files |
✔ |
Access Permissions |
✔ |
Albums |
✖ |
Recycle Bin |
✖ |
Tag |
✖ |
These are the supported SharePoint items that you can back up and restore from a Microsoft 365 backup set
Item |
Supported |
Item |
Supported |
Announcements |
✔ |
Assets Libraries |
✔ |
Bright Banner |
✔ |
Calendar |
✔ |
Contacts |
✔ |
Custom Lists |
✔ |
Data Connection Libraries |
✔ |
Discussion Boards |
✔ |
External Lists |
✖ |
Form Libraries |
✔ |
General Settings |
✔ |
Import Spreadsheets |
✔ |
Issue Tracking |
✔ |
Links |
✔ |
Look and Feel |
✖ |
Manage Site Features |
✖ |
Newsfeed |
✖ |
Permissions and Management |
✔ |
Picture and Libraries |
✔ |
Report Libraries |
✔ |
Site Collection Features |
✖ |
Site Page |
✔ |
Survey |
✔ |
Version History |
✔ |
Wiki / Page Libraries |
✔ |
These are the supported SharePoint Site Collections template that you can back up and restore from a Microsoft 365 backup set
Item |
Supported |
Item |
Supported |
Team Site |
✔ |
Team Site (Classic Experience) |
✔ |
Blog |
✔ |
Project Site |
✔ |
Developer Site |
✔ |
Community Site |
✖ |
Document Center |
✖ |
eDiscovery Center |
✖ |
Records Center |
✖ |
Business Intelligence Center |
✖ |
Compliance Policy Center |
✖ |
Enterprise Search Center |
✖ |
Community Portal |
✖ |
Basic Search Center |
✖ |
Visio Process Repository |
✖ |
My Site Host |
✔ |
Publishing Portal |
✖ |
Enterprise WIKI |
✖ |
Modern Team Sites |
✔ |
Modern Communication Site |
✖ |
These are the supported Site Column Type that you can back up and restore from a Microsoft 365 backup set
Item |
Supported |
Item |
Supported |
CalendarFolderType |
✔ |
CalendarItemType |
✔ |
ContactItemType |
✔ |
ContactsFolderType |
✔ |
DistributionListType |
✔ |
FolderType |
✔ |
MeetingCancellationMessageType |
✔ |
MeetingMessageType |
✔ |
MeetingRequestMessageType |
✔ |
MeetingResponseMessageType |
✔ |
MessageType |
✔ |
PostItemType |
✔ |
SearchFolderType |
✔ |
TasksFolderType |
✔ |
TaskType |
✔ |
UserConfigurationType |
✔ |
These are the supported Items that you can back up and restore from the Public Folder of a Microsoft 365 backup set.
Item |
Supported |
Item |
Supported |
Folders |
✔ |
Files |
✔ |
Supported Backup Source
Below is the supported backup source for Microsoft 365 Backup and Restore.
- Mailbox Level: Outlook, OneDrive, Personal Site, Public Folders and Site Collections.
- Folder Level: Inbox, Drafts, Sent Items, Deleted Items, Archive, Calendar, Clutter, Contacts, Junk Email, Notes, RSS Feeds, Tasks and Trash.
Maximum Supported File Size
The following table shows the maximum supported file size per item for backup and restore of each service.
Service |
Maximum File Size |
Outlook -with or without attachments -(applies to User mailbox, Room mailbox, Shared mailbox, Equipment mailbox) |
150 MB |
Public Folders -with or without attachments |
150 MB |
OneDrive |
8 GB |
Personal Site |
8 GB |
Site Collections |
8 GB |
Limitations
- For restoration of Microsoft 365 backup set to alternate location, there are some limitations:
- Only administrator account or user account with administrative authority can restore backup mailbox items to an alternate location.
- If you are trying to restore item(s) from one mailbox to an alternate location mailbox, CloudBacko Pro will restore the item(s) to their respective destination folder(s) with the same name of the original folder(s).
Example: Item from "Inbox" folder of Mailbox-A will be restored to the "Inbox" folder of the alternate location Mailbox-B; Item from "Drafts" folder of Mailbox-A will be restored to the "Drafts" folder of the alternate location Mailbox-B.
- If you are trying to restore item(s) from several mailboxes to an alternate location mailbox, CloudBacko Pro will restore the item(s) to their respective destination folder(s) with the same name of the original folder(s).
Example: Item from "Inbox" folder of Mailbox-A and Mailbox-B will be restored to the "Inbox" folder of the alternate location Mailbox-C.
- Restore of public folder item(s) to an alternate location mailbox is not supported.
Example: Restore of public folder items from Mailbox-A to alternate location Mailbox-B is not supported.
- Restore of mailbox items or public folder items is only supported if the according mailbox or public folder exists.
- If you are trying to restore the mailbox item to a destination mailbox which has a different language setting than the original mailbox, CloudBacko Pro will restore mailbox item(s) to their respective destination folder based on the translation listed below. For folders such as ‘Calendar’ or ‘Notes’, a new folder ‘Calendar’ or ‘Notes’ will be created.
Backup source (English) |
Action |
Destination mailbox with Chinese as default language settings |
Inbox |
Merge |
收件箱 |
Outbox |
Merge |
寄件匣 |
Sent Items |
Merge |
寄件備份 |
Deleted Items |
Merge |
刪除的郵件 |
Drafts |
Merge |
草稿 |
Junk E-Mail |
Merge |
垃圾電郵 |
Calendar |
Create new folder |
Calendar |
Notes |
Create new folder |
Notes |
- Modern Authentication is only supported for Microsoft 365 account that is registered in Global region and the Microsoft 365 backup is configured to use Global region.
- Backup sets using Modern Authentication cannot backup .aspx version file.
- Due to limitations in Microsoft API, when using Modern Authentication, backup and restore of SharePoint Web Parts and Metadata are not fully supported.
- Backup sets using Modern Authentication does not support restore of some list settings, currently known as Survey Options on survey list.
Best Practices and Recommendation
The following are some best practices and recommendation we strongly recommend you follow before you start any Microsoft 365 backup and restore.
- Temporary directory folder is used by CloudBacko Pro for storing backup set index files and any backup files generated during a backup job.
To ensure optimal backup/restoration performance, it is recommended that the temporary directory folder is set to a local drive with sufficient free disk space.
- Performance Recommendation - Consider the following best practices for optimized performance of the backup operations:
- Enable schedule backup jobs when system activity is low to achieve the best possible performance.
- Perform test restores periodically to ensure your backup is set up and performed properly.
Performing recovery test can also help identify potential issues or gaps in your recovery plan.
It's important that you do not try to make the test easier, as the objective of a successful test is not to demonstrate that everything is flawless.
There might be flaws identified in the plan throughout the test and it is important to identify those flaws.
- Backup Destination - To provide maximum data protection and flexible restore options, it is recommended to configure:
- At least one offsite or cloud destination
- At least one local destination for fast recovery
- Periodic Backup Schedule - The periodic backup schedule should be reviewed regularly to ensure that the interval is sufficient to handle the data volume on the machine.
Over time, data usage pattern may change on a production server, e.g. the number of new files created, the number of files which are updated/deleted, and new users may be added etc.
- Authentication - Although Microsoft has moved the enforcement date for Modern Authentication from end of 2020 to the second half of 2021, since this new authentication is already available starting with CloudBacko Pro v4.1.4.0 or above, it is recommended that backup sets are migrated to Modern Authentication. All newly created Microsoft 365 backup sets on CloudBacko Pro v4.1.4.0 or above automatically use Modern Authentication.
However, due to the current limitation with Microsoft API, Modern Authentication is currently not suitable for backup sets with Personal Sites and/or SharePoint Sites selected.
- Large number of Microsoft 365 users to Backup - It is recommended to divide the users into multiple backup sets.
A single Microsoft 365 backup set should not contain more than 2,000 Microsoft 365 users.
That is assuming that only small incremental daily changes will be made on the Run on Client backup set.
By splitting up all the users into separate backup sets, the more backup sets, the faster the backup process can achieve.
- Concurrent Backup Thread - The value of 4 concurrent backup threads is found to be the optimal setting for Microsoft 365 backups, to ensure best backup performance, minimal resource usage, and lowest probability of throttling of backup requests by Microsoft 365.
- Backup Source - For Microsoft 365 backup sets there are two approaches for backup source selection.
- All Microsoft 365 Users - If you select “All users”, all of the sub Microsoft 365 user accounts will automatically be backed up.
- Selective Microsoft 365 User - If you select "Select Specific", you must choose the Microsoft 365 user accounts that will be backed up.
Creating a Microsoft 365 Backup Set
Key:
Field |
Description |
Name |
The name of the backup set.
|
Backup set type |
The backup set type, e.g. Microsoft 365 Backup
|
Backup Scope |
The extent of the backup, either Entire Organization or This Microsoft 365 User Only.
|
Access the Internet through Proxy |
Checkbox will be ticked if proxy will be used to access the internet, cannot be edited.
|
To create a backup set with Modern Authentication :
- Enter a backup set name.
- Select the backup set type.
- Select the backup scope, e.g. Entire Organization.
- Selece the region, e.g. Global.
- Optional: Check the "Access the Internet through proxy" checkbox.
- Click the [Test] button.
- Click the [Authorize] button to start the authentication process.
- Sign in to your Microsoft account.
If MFA is enforced for the Microsoft 365 user account used to authenticate the backup set, select to verify either by "Text" or "Call".
- If "Text" was selected, enter the code and click [Verify]
- If "Call" was selected, answer the call and follow the instructions to verify.
Note: Verification is only required if the MFA status of a Microsoft 365 account is enforced.
- Copy the authorization code.
- Go back to CloudBacko Pro and paste the authorization code then click the [OK] button to proceed.
- The confirmation message Test completed successfully will be shown when CloudBacko Pro is connected to the Microsoft 365 account successfully.
- Click [Next] to proceed.