Create Backup Set
Office 365 Backup allows you to backup your mailbox, OneDrive and Sharepoint files from your Office 365 account.
Requirements
You are strongly recommended to configure or check all the settings below to confirm all the requirements are met before you proceed with the Office 365 backup and restoration:
- Make sure that the latest version of %edition_name% is installed on your computer with Internet access for connection to your Office 365 account.
- Upgrade VMware Tools - To avoid unexpected java crash, if the Windows machine is a guest VM hosted on a VMware Host then it is highly recommended that the VMware tools version installed on the guest VM must be 10.0.5 or above.
- Backup Quota Requirement - Make sure that your %edition_name% user account has sufficient quota assigned to accommodate the storage of the Office 365 users for the new backup set and retention policy.
- SharePoint Site Backup - To be able to backup Personal Sites and/or SharePoint Sites, ensure that you use Hybrid Authentication when creating a backup set. Due to the current limitation with Microsoft API, Modern Authentication is currently not suitable for backup sets with Personal Sites and/or SharePoint Sites selected. As backup and restore of SharePoint metadata are not fully supported.
- The default Java heap setting 2048M, is sufficient for Office 365 backups based on the default 4 concurrent backup threads.
The Java heap size should only be increased if the number of current backup threads is increased as more backup threads is expected to consume more memory. But this does not guarantee that the overall backup speed will be faster since there will be an increased chance of throttling.
As the value of 4 concurrent backup threads is found to be the optimal setting for Office 365 backups, to ensure best backup performance, minimal resource usage, and lowest probability of throttling of Ahsay backup requests by Microsoft Office 365.
- The following subscription plans with Office 365 email services are supported to run backup and restore on %edition_name%.
| Office 365 Business |
Office 365 Business Essentials |
| Office 365 Business Premium |
Office 365 Entrprise E1 |
| Office 365 Entrprise E3 |
Office 365 Entrprise E4 |
| Office 365 Entrprise E5 |
Office 365 Education |
- Make sure your Office 365 subscription with Microsoft is active in order to enjoy all privileges that come along with our backup services. If your account has expired, renew it with Microsoft as soon as possible so that you can continue to enjoy the Office 365 backup services.
When your account is expired, depending on your role, certain access restrictions will be applied to your account.
Refer to the URL below for more details: https://support.office.com/en-us/article/What-happens-to-my-data-and-access-when-my-Office-365-for-business-subscription-ends-4436582f-211a-45ec-b72e-33647f97d8a3#BKMK_TrialEnds
- Office 365 Permission Requirements for %edition_name% - The basic permissions required by an Office user account for authentication of an %edition_name% Office 365 backup set is as follows:
Global Admin Role
Starting with %edition_name% v8.3.6.0 or above, the Office 365 account used for authentication must have Global Admin Role, since Modern Authentication will be used. This is to ensure that the authorization configuration requirements will be fulfilled (e.g. connect to Microsoft Azure AD to obtain the App Access Token). To assign the role, please refer to Assigning Global Admin Role to Accounts.
Term Store Admininistrator Role
The Term Store Administrator Role may be required for backup and restore of SharePoint items. To assign the role, please refer to Granting Term Store Administrator Role.
A member of Discovery Management security group
The Discovery Management security group must be assigned the following roles. To assign the role, please refer to Granting Permission to Discovery Management Group.
- ApplicationImpersonation
- Legal Hold
- Mailbox Import Export
- Mailbox Search
- Public Folders
Otherwise, proceed to grant all necessary permissions to the Office user account as shown in the following instructions.
Assigning Global Admin Role to Accounts
To assign the Global Admin role to accounts, follow the steps below:
- Click the App launcher in the upper left side then click Admin to go to the Microsoft 365 admin center.
- In the Microsoft 365 admin center, on the left panel click Users. Find the user you want to assign the Global Admin and select Manage roles.
- In the Manage roles window, select Admin center access then check the box beside Global admin. Click Save Changes to save the role you assigned.
Granting Term Store Administrator Role
To add Term Store Administrator role to the Office 365 user account used to authenticate the Office 365 backup set.
- In the SharePoint admin center, under Content services, click Term store.
- In the tree view pane on the left, select the Taxonomy.
- In the Term store page, for Admins, select Edit. The Edit term store admins panel appears.
- Enter the names or email addresses of the Office 365 user who you want to add as term store admins. Select Save.
Granting Permission to Discovery Management Group
This permission allows users added under the Members section of the Discovery Management group (refer to Granting Permission to Accounts for Creating Backup Set) to back up and/or restore user item(s) not only for their own account, but also the accounts of other users in the same Members section.
- Open https://outlook.office365.com/ecp.
- Log in to the Office 365 as an account administrator.
- Select the permissions menu on the left, then double click on Discovery Management on the right.
- Click the [+] icon under the Roles section. These are the following roles:
- ApplicationImpersonation
- Legal Hold
- Mailbox Import Export
- Mailbox Search
- Public Folders
- Click Save to confirm and exit the setting.
Granting Permission to Accounts for Creating Backup Set
- Open https://outlook.office365.com/ecp.
- Log in to the Office 365 as an account administrator.
- Select the permissions menu on the left, then double click on Discovery Management on the right.
- You can now add users to this group. Click the [+] icon under the Members section.
- Look for the username(s) of the account that you would like to add permission for, then click add > OK to add the corresponding user(s) to the permission group.
- Click Save to confirm and exit the setting.
Granting Permission to restore all share link types to alternate location in Office 365
To successfully restore all share link types to alternate location of the same organization in Office 365, follow the settings below:
- Allowing anonymous users to access application pages
- Go to the alternate Site > in the left pane, select Site Contents > Site Settings
- Go to Site Collection features
- Deactivate "Limited-Access user permission lockdown mode" feature
- Allowing sharing to external users
- Go to your Microsoft 365 Admin Center > All admin centers > in the right pane select SharePoint.
- Go to Sharing.
- If using Classic sites view, go to Policies > Sharing.
- Under Sharing outside your organization, select “Allow sharing only with the external users that already exist in your organization’s directory” and click OK.
- If using Classic sites view, under External sharing the button must be in line with “Existing guests” and click Save.
- Data Synchronization Check (DSC) Setup - To compensate for the significant backup performance increase, there is a tradeoff made by the Change Key API, which skips the checking of de-selected files in the backup source, which over time can result in a discrepancy between the items or files/folders selected in the backup sources and those in the backup destination(s).
To overcome this, it is necessary in some cases to run a Data Synchronization Check (DSC) periodically, so that it will synchronize the data in the backup source and backup destination(s) to avoid data build-up and free up storage quota.
|
Enabled |
Disabled |
| Backup Time |
Since data synchronization check is enabled, it will only run on the set interval.
For example, the default number of interval is 60 days
The backup time for the data synchronization job will take longer than the usual backup as it is checking the de-selected files and/or folders in the backup source and data in the backup destination(s)
|
As data synchronization check is disabled, the backup time will not be affected. |
| Storage |
Management of storage quota will be more efficient as it will detect items that are de-selected and move it to retention and will be removed after it exceeds the retention policy freeing up the storage quota. |
Management of storage quota will be less efficient even though files and/or folders are already de-selected from the backup source, these files will remain in the data area of backup destination(s). |
- Authentication - To comply with Microsoft’s product roadmap for Office 365, from AhsayOBM v8.3.6.0 or above, Basic Authentication (Authentication using Office 365 login credentials) will no longer be utilized. Instead all new Office 365 backup sets created will use either Modern Authentication or Hybrid Authentication.
By second half of 2021, it will be a mandatory requirement for organizations still using Basic Authentication or Hybrid Authentication to migrate to Modern Authentication.
Modern Authentication provides a more secure user authentication by using app token for authentication aside from using the Office 365 login credentials. In order to use Modern Authentication, the Office 365 account is registered under Global region and the Office 365 backup is configured to use Global region. As both Germany and China region do not support Modern Authentication.
Existing backup sets using Basic Authentication created prior to AhsayOBM v8.3.6.0 can be migrated to Hybrid Authentication or Modern Authentication. However, once the authentication process is completed, the authentication can never be reverted back to Basic Authentication. For more information on how to migrate to Hybrid Authentication or Modern Authentication please refer to this link Migrating Authentication of Office 365 Backup Set. After the upgrade to AhsayOBM v8.3.6.0 or above, the backup and restore process of existing Office 365 backup sets still using Basic Authentication will not be affected during this transition period since Modern Authentication is not yet enforced by Microsoft.
In order to migrate existing backup sets to Hybrid Authentication or Modern Authentication there are two (2) methods:
- The first method is the Office 365 account used for the backup set is assigned the Global Admin role.
- The second method is the Office 365 account used for the backup set is an ordinary account. When changing the settings of the backup set, the user can ask an Office 365 Global Admin account to login their credentials first to authorize the migration of authentication. This is only required in migrating from Basic Authentication to Modern Authentication. This only needs to be done once per backup set.
!
Please note that Modern Authentication with enabled security in Azure Active Directory (AD) will be made default if there is zero-usage on any Office 365 organization by October 2020.
To check the current authentication being used in your Office 365 backup set, see criteria below:
- Basic Authentication - If you click on the backup set and the following pop up message is displayed, then the backup set is using Basic Authentication.
- Modern Authentication
- Go to Backup Sets > backup set name > General > Change settings.
- In the Office 365 credentials page, the region is Global and the Username exists but has no password, then the backup set is using Modern Authentication.
- Hybrid Authentication
- There is no pop up authentication alert.
- In the Office 365 credentials page, the region is Global and there is a Username and Account password then the backup set is using Hybrid Authentication.
Supported Services
These are the supported services of Office 365 Backup module
| Services |
Supported |
Services |
Supported |
| Outlook |
✔ |
Yammer |
✖ |
| OneDrive |
✔ |
Microsoft Stream |
✖ |
| SharePoint |
✔ |
Power BI |
✖ |
| Microsoft Teams |
✖ |
Microsoft Power Apps |
✖ |
These are the supported Outlook Mailbox types of Office 365
| Item |
Supported |
Item |
Supported |
| Archive Mailbox |
✖ |
Distribution Group |
✖ |
| Dynamic Distribution Group |
✖ |
Equipment Mailbox |
✔ |
| Office 365 Group |
✖ |
Public Folder |
✔ |
| Public Folder Mailbox |
✖ |
Room Mailbox |
✔ |
| Security Group |
✖ |
Shared Mailbox |
✔ |
| User Mailbox |
✔ |
These are the supported items that you can back up and restore from an Outlook Mailbox
| Item |
Supported |
Item |
Supported |
| Archive |
✔ |
Calendar |
✔ |
| Clutter |
✔ |
Companies |
✖ |
| Contacts |
✔ |
Conversion History |
✖ |
| Deleted Items |
✔ |
Drafts |
✔ |
| External Contacts |
✖ |
GAL Contacts |
✖ |
| Inbox |
✔ |
Journal |
✖ |
| Junk Emails |
✔ |
Notes |
✔ |
| Organizational Contacts |
✖ |
Outbox |
✖ |
| PeopleCentricConversation Buddies |
✖ |
PersonMetaData |
✖ |
| Recipient Cache |
✖ |
RS Feed |
✔ |
| Search Folders |
✖ |
Sent Items |
✔ |
| Social Activity Notifications |
✖ |
Sync Issues |
✖ |
| Tasks |
✔ |
Trash |
✔ |
These are the supported items that you can back up and restore from OneDrive
| Item |
Supported |
Item |
Supported |
| Folders |
✔ |
Files |
✔ |
| Access Permissions |
✔ |
Albums |
✖ |
| Recycle Bin |
✖ |
Tag |
✖ |
These are the supported SharePoint items that you can back up and restore from an Office 365 backup set
| Item |
Supported |
Item |
Supported |
| Announcements |
✔ |
Assets Libraries |
✔ |
| Bright Banner |
✔ |
Calendar |
✔ |
| Contacts |
✔ |
Custom Lists |
✔ |
| Data Connection Libraries |
✔ |
Discussion Boards |
✔ |
| External Lists |
✔ |
Form Libraries |
✔ |
| General Settings |
✔ |
Import Spreadsheets |
✔ |
| Issue Tracking |
✔ |
Links |
✔ |
| Look and Feel |
✔ |
Manage Site Features |
✔ |
| Newsfeed |
✖ |
Permissions and Management |
✔ |
| Picture and Libraries |
✔ |
Report Libraries |
✔ |
| Site Collection Features |
✔ |
Site Page |
✔ |
| Survey |
✔ |
Version History |
✔ |
| Wiki / Page Libraries |
✔ |
These are the supported SharePoint Site Collections template that you can back up and restore from an Office 365 backup set
| Item |
Supported |
Item |
Supported |
| Team Site |
✔ |
Team Site (Classic Experience) |
✔ |
| Blog |
✔ |
Project Site |
✔ |
| Developer Site |
✔ |
Community Site |
✖ |
| Document Center |
✖ |
eDiscovery Center |
✖ |
| Records Center |
✖ |
Business Intelligence Center |
✖ |
| Compliance Policy Center |
✖ |
Enterprise Search Center |
✖ |
| Community Portal |
✖ |
Basic Search Center |
✖ |
| Visio Process Repository |
✖ |
My Site Host |
✔ |
| Publishing Portal |
✖ |
Enterprise WIKI |
✖ |
| Modern Team Sites |
✔ |
Modern Communication Site |
✖ |
These are the supported Site Column Type that you can back up and restore from an Office 365 backup set
| Item |
Supported |
Item |
Supported |
| CalendarFolderType |
✔ |
CalendarItemType |
✔ |
| ContactItemType |
✔ |
ContactsFolderType |
✔ |
| DistributionListType |
✔ |
FolderType |
✔ |
| MeetingCancellationMessageType |
✔ |
MeetingMessageType |
✔ |
| MeetingRequestMessageType |
✔ |
MeetingResponseMessageType |
✔ |
| MessageType |
✔ |
PostItemType |
✔ |
| SearchFolderType |
✔ |
TasksFolderType |
✔ |
| TaskType |
✔ |
UserConfigurationType |
✔ |
These are the supported Items that you can back up and restore from the Public Folder of an Office 365 backup set.
| Item |
Supported |
Item |
Supported |
| Folders |
✔ |
Files |
✔ |
Supported Backup Source
Below is the supported backup source for Office 365 Backup and Restore.
- Mailbox Level: Outlook, OneDrive and Personal Site.
- Folder Level: Inbox, Drafts, Sent Items, Deleted Items, Archive, Calendar, Contacts, Junk Email, Notes and Tasks.
Maximum Supported File Size
The following table shows the maximum supported file size per item for backup and restore of each service.
| Service |
Maximum File Size |
Outlook
-with or without attachments
-(applies to User mailbox, Room mailbox, Shared mailbox, Equipment mailbox) |
150 MB |
Public Folders
-with or without attachments |
150 MB |
OneDrive |
8 GB |
Personal Site |
8 GB |
Site Collections |
8 GB |
Limitations
- For restoration of Office 365 backup set to alternate location, there are some limitations:
- Only administrator account or user account with administrative authority can restore backup mailbox items to an alternate location.
- If you are trying to restore item(s) from one mailbox to an alternate location mailbox, %edition_name% will restore the item(s) to their respective destination folder(s) with the same name of the original folder(s).
Example: Item from "Inbox" folder of Mailbox-A will be restored to the "Inbox" folder of the alternate location Mailbox-B; Item from "Drafts" folder of Mailbox-A will be restored to the "Drafts" folder of the alternate location Mailbox-B.
- If you are trying to restore item(s) from several mailboxes to an alternate location mailbox, %edition_name% will restore the item(s) to their respective destination folder(s) with the same name of the original folder(s).
Example: Item from "Inbox" folder of Mailbox-A and Mailbox-B will be restored to the "Inbox" folder of the alternate location Mailbox-C.
- Restore of public folder item(s) to an alternate location mailbox is not supported.
Example: Restore of public folder items from Mailbox-A to alternate location Mailbox-B is not supported.
- Restore of mailbox items or public folder items is only supported if the according mailbox or public folder exists.
- If you are trying to restore the mailbox item to a destination mailbox which has a different language setting than the original mailbox, %edition_name% will restore mailbox item(s) to their respective destination folder based on the translation listed below. For folders such as ‘Calendar’ or ‘Notes’, a new folder ‘Calendar’ or ‘Notes’ will be created.
| Backup source (English) |
Action |
Destination mailbox with Chinese as default language settings |
| Inbox |
Merge |
收件箱 |
| Outbox |
Merge |
寄件匣 |
| Sent Items |
Merge |
寄件備份 |
| Deleted Items |
Merge |
刪除的郵件 |
| Drafts |
Merge |
草稿 |
| Junk E-Mail |
Merge |
垃圾電郵 |
| Calendar |
Create new folder |
Calendar |
| Notes |
Create new folder |
Notes |
- Modern Authentication is only supported for Office 365 account that is registered in Global region and the Office 365 backup is configured to use Global region.
- Backup sets using Modern Authentication cannot backup .aspx version file.
- Due to limitations in Microsoft API, when using Modern Authentication, backup and restore of SharePoint Web Parts and Metadata are not fully supported.
- Backup sets using Modern Authentication does not support restore of some list settings, currently known as Survey Options on survey list.
Best Practices and Recommendation
The following are some best practices and recommendation we strongly recommend you follow before you start any Office 365 backup and restore.
- Temporary directory folder is used by %edition_name% for storing backup set index files and any incremental or differential backup files generated during a backup job.
To ensure optimal backup/restoration performance, it is recommended that the temporary directory folder is set to a local drive with sufficient free disk space.
- Performance Recommendation - Consider the following best practices for optimized performance of the backup operations:
- Enable schedule backup jobs when system activity is low to achieve the best possible performance.
- Perform test restores periodically to ensure your backup is set up and performed properly.
Performing recovery test can also help identify potential issues or gaps in your recovery plan.
It's important that you do not try to make the test easier, as the objective of a successful test is not to demonstrate that everything is flawless.
There might be flaws identified in the plan throughout the test and it is important to identify those flaws.
- Set Backup Destination - After creating the backup set-in Run-on Client mode on AhsayCBS user web console, please remember to login %edition_name% to set the backup destination if you want the backup destination to be Local/Mapped Drive/Network Drive/Removable Drive.
- Backup Destination - To provide maximum data protection and flexible restore options, it is recommended to configure:
- At least one offsite or cloud destination
- At least one local destination for fast recovery
- Login to %edition_name% - After modifying the backup schedule setting of the Run on Client backup set on AhsayCBS user web console, please remember to login to the %edition_name% client once to synchronize the changes immediately.
- Periodic Backup Schedule - The periodic backup schedule should be reviewed regularly to ensure that the interval is sufficient to handle the data volume on the machine.
Over time, data usage pattern may change on a production server, e.g. the number of new files created, the number of files which are updated/deleted, and new users may be added etc.
- Authentication - Although Microsoft has moved the enforcement date for Modern Authentication from end of 2020 to the second half of 2021, since this new authentication is already available starting with AhsayOBM v8.3.6.0 or above, it is recommended that backup sets are migrated to Modern Authentication. All newly created Office 365 backup sets on AhsayOBM v8.3.6.0 or above automatically use Modern Authentication.
However, due to the current limitation with Microsoft API, Modern Authentication is currently not suitable for backup sets with Personal Sites and/or SharePoint Sites selected. As a temporary workaround for Office 365 backup sets which require backup of Personal Sites and/or SharePoint Sites selected should be migrated to Hybrid Authentication until the issue has been resolved by Microsoft.
- Large number of Office 365 users to Backup - It is recommended to divide the users into multiple backup sets.
A single Office 365 backup set should not contain more than 2,000 Office 365 users.
That is assuming that only small incremental daily changes will be made on the Run on Client backup set.
By splitting up all the users into separate backup sets, the more backup sets, the faster the backup process can achieve.
- Concurrent Backup Thread - The value of 4 concurrent backup threads is found to be the optimal setting for Office 365 backups, to ensure best backup performance, minimal resource usage, and lowest probability of throttling of Ahsay backup requests by Microsoft Office 365.
- Backup Source - For Office 365 backup sets there are two approaches for backup source selection.
- All Office 365 Users - If you tick the “Users” checkbox, all of the sub Office 365 user accounts will automatically be selected.
- Selective Office 365 User - If you tick selective Office 365 user accounts, you will notice that the “Users” checkbox is highlighted with gray color. This indicates that not all the users are selected.
Creating an Office 365 Backup Set
Key:
| Name |
The name of the backup set.
|
| Backup set type |
The backup set type, e.g. Office 365 Backup
|
| Username |
Username of the Office 365 account used for backup of mailbox, OneDrive and Sharepoint files.
|
| Account Password |
Password of the Office 365 account used for backup of mailbox, OneDrive and Sharepoint files.
|
| App Password |
Password of the Office 365 account if multi-factor authentication is enabled.
|
| Region |
Region where the Office 365 account is registered.
|
| Access the Internet through Proxy |
Checkbox will be ticked if proxy will be used to access the internet, cannot be edited.
|
To create a backup set with Modern Authentication :
- Enter a backup set name.
- Select the backup set type.
- Leave Username and Password blank.
- Select correct region, e.g.: Global.
- Click the [Test] button.
- Click [I understand the limitation and confirm to proceed] button.
- Click the [Authorize] button to start the authentication process.
- Sign in to your Microsoft account.
- If MFA is enforced for the Office 365 user account used to authenticate the backup set, enter the code and click [Verify]
Note: The verfication code is only required if the MFA status of an Office 365 account is enforced.
- Copy the authorization code.
- Go back to %edition_name% and paste the authorization code then click the [OK] button to proceed.
- The confirmation message Test completed successfully will be shown when %edition_name% is connected to the Office 365 account successfully.
To create a backup set with Hybrid Authentication with MFA not enforced:
- Enter a backup set name.
- Select the backup set type.
- Enter the login details of your Office 365 account.
- Enter Username and Account password.
- Select correct region, e.g.: Global.
- Click the [Test] button.
- Click the [Authorize] button to start the authentication process.
- Sign in to your Microsoft account.
- Copy the authorization code.
- Go back to %edition_name% and paste the authorization code then click the [OK] button to proceed.
- The confirmation message Test completed successfully will be shown when %edition_name% is connected to the Office 365 account successfully.
To create a backup set with Hybrid Authentication with MFA enforced:
- Enter a backup set name.
- Select the backup set type.
- Enter the login details of your Office 365 account.
- Enter Username, Account password, and App password.
- Select correct region, e.g.: Global.
- Click the [Test] button.
- Enter code sent to your mobile device then click the [Verify] button.
- Option: Click the [Use another method to authenticate] link to select between Text or Call.
- If Text is selected, enter code sent to your mobile device.
- If Call is selected, you will receive a call from a third-party app. From there follow the instructions to proceed with the authentication.
- Click the [Authorize] button to start the authentication process.
- Sign in to your Microsoft account.
- Enter the code and click the [Verify] button.
- Copy the authorization code.
- Go back to %edition_name% and paste the authorization code then click the [OK] button to proceed.
- The confirmation message Test completed successfully will be shown when %edition_name% is connected to the Office 365 account successfully.