Overview

To back up Microsoft Teams Chat, customers must create and configure a custom App Registration in Microsoft Entra ID.

Druva provides a PowerShell script-driven automation that deploys the App, the required self-signed certificate, and also assigns the required GRAPH Permissions, using Azure Web Shell. Refer to this document for setting up the App using Azure Web Shell.

Azure Web Shell requires a separate subscription from Microsoft. If you do not have Azure Web Shell, then this document will help you to deploy the App Manually.

This app is used for app-only authentication with Microsoft Graph and requires:

Microsoft Graph Application permissions
A client secret
A self-signed certificate uploaded to the app
📝NOTE: If you would like to use a third-party CA Certificate, then you may skip the steps to create self signed certificate. But ensure that the CA Cert has a Private Key in Base64 format, to upload to Druva Portal during configuration.

Step 1: Create an App Using App Registration in Microsoft Entra ID

This step covers:

Creating a custom app
Generating a client secret
Assigning required Microsoft Graph permissions

1.1 Create a New App Registration

Sign in to the Azure Portal
https://portal.azure.com
Navigate to Microsoft Entra ID > App registrations
Click + New registration
Fill in the following:
- Name:
  Example: Teams-Chat-Backup-App
- Supported account types:
  Select Accounts in this organizational directory only
- Redirect URI:
  Leave this blank
Click Register
After creation, note the following value (required later. Also available under App Properties):
- Application (client) ID
  📝NOTE: ObjectID is not needed.

1.2 Generate a Client Secret

Inside the newly created app, go to: Certificates & secrets
Under Client secrets, click + New client secret
Enter:
- Description: TeamsBackup
- Expires: Choose an appropriate duration (e.g., 12 or 24 months)
Click Add
Immediately copy and store the secret value
- This value is shown only once
- Losing it will require creating a new secret

1.3 Assign Microsoft Graph Permissions

The app must have the following Application permissions:

User.Read.All
Chat.Read.All

Steps to Assign Permissions

Go to API permissions
Click + Add a permission
Select Microsoft Graph
Choose Application permissions
Add the following:
- User.Read.All
- Chat.Read.All
Click Add permissions

Grant Admin Consent

Click Grant admin consent
Confirm the action

❗IMPORTANT

Only Application permissions are supported
Delegated permissions will not work
Admin consent is mandatory

Step 2: Create a Self-Signed Certificate (Windows)

This step explains how to:

Install OpenSSL
Create a self-signed certificate
Export the private key
Convert it to Base64 single-line format

2.1 Download and Install OpenSSL (Windows)

Download OpenSSL for Windows from:
https://slproweb.com/products/Win32OpenSSL.html
Download Win64 OpenSSL – Light or Full
Install OpenSSL and ensure:
- Option “Add OpenSSL to the system PATH” is selected
Verify installation:
- Open Command Prompt and run: openssl version

2.2 Create a Self-Signed Certificate and Private Key

Launch Windows PowerShell as Admin and execute the below command:

$cert = New-SelfSignedCertificate `
  -Subject "CN=DruvaTeamsBackup" `
  -CertStoreLocation "Cert:\CurrentUser\My" `
  -KeyExportPolicy Exportable `
  -KeySpec Signature `
  -KeyLength 2048 `
  -HashAlgorithm SHA256

Create Working Folders (Windows PowerShell);

New-Item -ItemType Directory -Path C:\DruvaCerts -Force

Export the certificate as PFX (local use only) (Windows PowerShell)

$pfxPass = ConvertTo-SecureString -String "TempPassword123!" -AsPlainText -Force

Export-PfxCertificate `
  -Cert $cert `
  -FilePath "C:\DruvaCerts\DruvaTeamsBackup.pfx" `
  -Password $pfxPass

Export the public certificate (for Entra ID) (Windows PowerShell)

Export-Certificate `
  -Cert $cert `
  -FilePath "C:\DruvaCerts\DruvaTeamsBackup.cer"

Extract the private key using OpenSSL (CMD)

openssl pkcs12 -in C:\DruvaCerts\DruvaTeamsBackup.pfx ^
  -password pass:TempPassword123! ^
  -nodes -nocerts ^
  -out C:\DruvaCerts\DruvaTeamsBackup-raw.pem

Convert the private key to PKCS#8 (unencrypted) (CMD)

openssl pkcs8 -in C:\DruvaCerts\DruvaTeamsBackup-raw.pem ^
  -topk8 -nocrypt ^
  -out C:\DruvaCerts\DruvaTeamsBackup-privatekey.pem

Output will look like:

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Normalize the private key for the Druva UI (Windows PowerShell)

(Get-Content C:\DruvaCerts\DruvaTeamsBackup-privatekey.pem -Raw) -replace "`r?`n", "\n"

Output will look like:

-----BEGIN PRIVATE KEY-----\nBASE64DATA...\n-----END PRIVATE KEY-----\n

Step 3: Upload the Certificate to the App in Entra ID

This step links the certificate to the app created in Step 1.

Upload the Certificate

Go to Azure Portal
Navigate to Microsoft Entra ID > App registrations
Select the previously created app
Go to Certificates & secrets
Under Certificates, click Upload certificate
Select the file: certificate.crt
Click Add

Step 4: Configure Druva inSync to backup M365 Chat using this Enterprise App

Login to Druva Admin Console
Click on Menu at top left > Microsoft 365
Click on “Teams Chat” > click “Install Azure App”
In the pop up form, fill in the details as below:
- Application Name: The name of the app from EntraID.
- ClientID: The Application (client) ID of the app.
- Client Secret: Client secret generated in EntraID for the App
- Secret Expiry: Client’s secret expiration date set in EntraID
- Thumbprint: Cert Thumbprint from the App in EntraID
- Private Key: Normalized Private Key in Single Line format as below:
```
.-----BEGIN PRIVATE KEY-----\nBASE64DATA...\n-----END PRIVATE KEY-----\n
```
Save
If the App shows “Disconnected”, validate the steps once again.