Overview
Protecting your Microsoft 365 data with Druva has never been this simple. You need to perform 2 main steps; tenant authorization and backup configuration. That too, all from the console itself.
We have configured a few settings by default for you, and you just have to register your M365 tenant and configure your first backup to get started with data protection. The following graphic explains what is the default configuration and what you have to do manually. You have the flexibility the change the default settings later.
The following video provides a quick preview of the M365 onboarding process.
Before you begin
Ensure that you have a Microsoft 365 global administrator account with a valid Microsoft 365 license. This account is used only for giving consent to the required permissions. The global admin role can be reduced to a normal user role later.
Step 1: Register M365 tenant
To initiate onboarding, you must establish a connection between Druva and your M365 tenant. The first step towards that is to register your M365 tenant. You must use the global admin credentials for consenting to required permissions during registration.
Select the preferred app
On the Register Microsoft 365 page, install the app you want to use to protect the M365 data. Select the Druva app that meets your requirements:
Advanced - Backs up the data for Exchange Online, Groups, OneDrive, Public folder, SharePoint, Teams
Basic - Backs up the data for Exchange Online, OneDrive, Public folder, SharePoint, Teams
Use the Basic app when you want to protect this data without providing the Directory.ReadWrite.All permission.Exchange Online & Public folder - Backs up the data for Exchange Online and Public folder
OneDrive & SharePoint - Backs up the data for OneDrive and SharePoint
The following table explains the difference between Advanced and Basic apps.
Supported Apps/Features | M365 Advanced | M365 Basic |
Exchange Online | ✅ | ✅ |
OneDrive | ✅ | ✅ |
SharePoint | ✅ | ✅ |
Teams | ✅ | ✅ |
Public Folders | ✅ | ✅ |
Groups | ✅ | ❌ |
Multi-Geo | ✅ | ❌ |
❗ Important
Druva app requires permissions for each app, see Microsoft 365 Permissions for Druva App.
If you are an existing user and do not want to use the Multi-Geo and Groups support features, you need to revoke access to the advanced app. No action is required if you have enabled Multi-Geo support and want to protect Microsoft Groups.
Revoke access to Microsoft 365 app
On the Re-Configure for Backup window, click the three-dots menu and select Revoke Access.
At least one other Druva app should be configured to revoke access of another app. Revoking access removes all existing permissions, restricts backup and restore of app workloads, and terminates any ongoing backups and restores associated with that app.
Check the status of app and perform the required action as listed below:
Not Configured: Configure Microsoft 365 app
Not Connected: Reconfigure Microsoft 365 app
Not Licensed: Get a new license or renew the license if expired
Connected: Configure Cloud App settings to define user attributes.
Provide required permissions
Each app requires specific permissions. You must provide consent to the permissions to proceed further using the global admin account. For more information about permissions, see Microsoft 365 Permissions for Druva App.
Default configuration
Cloud Key Management
By default, the Cloud Key Management system is selected for data protection. You can opt for AD Connector as an alternative approach for data protection.
Once you save this setting, you cannot disable it later. You can skip this setting at this step and set it later. Scheduled backups will not be triggered automatically until this is set.
Azure AD
The default user deployment method is Azure AD. You can change it later from the Overview page.
For information about user deployment, see Configure inSync for user provisioning.
📝 Note
If you change the user deployment method to SCIM or AD/LDAP, you have to add users manually while configuring users' backup. If you want to automatically configure users' backup by mapping Azure AD attributes to storage and profile, you must do that from the User Deployment page.
After a successful connection between Druva and your Microsoft 365 account, the data is discovered automatically for each workload. The number of members discovered in Azure AD tenant is displayed.
Step 2: Configure backup
On the Overview page, click Configure Backup from the preferred card.
Configure backup for Exchange Online and OneDrive
Import the users automatically and configure the backup for users either manually or automatically by using the AD mappings.
You can configure backup for Exchange Online and OneDrive in two ways:
Quick Configure
Auto Configure
Quick configure
Manually configure the backup by assigning storage and profile to the users to be backed up.
Follow these steps to configure the backup:
Enter the user name or email address of the users to be backed up in the Users to Backup field.
Available users will start showing up while you type. You can select multiple users from the user list.Select the storage where the users' data should be saved from the Assign storage drop-down list.
Select a profile from the Assign Profile drop-down list. For more information about profiles, see Configure a profile to protect Microsoft 365 app data.
📝 Note
The default profile has Exchange Online and OneDrive apps enabled for backup.
The Profile Summary section displays the apps to be backed up, backup frequency, and retention settings.
(Optional) Select Send activation email to newly added users if you want to send an invitation email to all the newly added users. You can customize the emails to be sent to the users. For more information, see Customize the new user activation email.
Click Save.
Backup is initiated automatically for the selected users.
Auto Configure
Automatically configure users' backup by mapping Azure AD attributes to storage and profile. You can filter users by using Groups, Azure AD attribute, or you can import all users, and then you can assign storage and profile to the users.
Specify a name for the Azure AD Integration mapping.
Filter users by using any of the following methods.
Groups: Import users that belong to a specific Azure AD group. In the Groups field, enter one or multiple Groups. You can enter the first letter, and a list of the top 10 Azure AD groups is displayed. The supported group types are Microsoft 365 groups, distribution groups, security groups, and mail-enabled security groups.
Azure AD Attributes: Import users based on a specific Azure AD attribute name and matching values. Specify the Azure AD attribute name. In the Value(s) box, type the value for the attribute. See Reference for Attributes list.
Considerations:The filter is case-sensitive. The value you specify in the Azure AD mapping and the attribute value should be in the correct case. the same case that graph API returns. For example, displayName, companyName, postalCode, preferredDataLocation.
Use a comma to specify multiple values for the attribute.
Only the user accounts, that match the values specified in the box are mapped to this mapping.
All Users: Import all the users based on no criteria
Select the storage where the users' data should be saved from the Assign storage drop-down list.
Select a profile from the Assign Profile drop-down list. For more information about profiles, see Configure Druva inSync for Microsoft 365.
📝 Note
The default profile has Exchange Online and OneDrive apps enabled for backup.
The Profile Summary section displays the apps to be backed up, backup frequency, and retention settings.
(Optional) Select Send activation email to newly added users if you want to send an invitation email to all the newly added users. You can customize the emails to be sent to the users. For more information, see Customize the new user activation email.
Click Save.
Backup is initiated automatically for the selected users.
Configure backup for Teams, Groups, SharePoint Online, and Public folder
You can assign backup configuration settings to configure Teams, Groups, SharePoint Online, and Public folder. Refer to the topics below to know details about the backup configuration for Groups, SharePoint Online, Teams, and Public folder.
📝 Note
Along with Groups, its associated Teams and SharePoint sites including private sites are also protected. Along with Teams, its associated SharePoint sites including private sites are also protected.
Basic Configuration
After you configure the first backup, these are some additional tasks that you can do. Refer to the following table for details.
Task | Description |
Add Microsoft 365 app users to inSync | To start the backup of Microsoft 365 app data of users, the administrator must add or create users in inSync. inSync supports the following methods to add or create new users:
If users are already created, assign the profile that you specifically created to manage SaaS App users. To manually assign a profile to a user, see Update the profile assigned to users. |
Back up Microsoft 365 data manually | As a Cloud administrator, you have an option to initiate an unscheduled backup of Microsoft 365 data as and when needed.
|
Restore Microsoft 365 data | Restore of data ensures that the data is available for future reference and business continuity and can be retrieved in case of accidental deletion or malicious activities. As a Cloud administrator, you can restore the Microsoft 365 data. Refer to the following links for details.
|
Download Microsoft 365 apps data | You can download Microsoft 365 data at custom locations such as laptops or desktops. You can perform a download of entire Microsoft 365 apps data or selective downloads of specific data residing within Microsoft 365 apps. Refer to the following links for details.
|
Monitor Microsoft 365 data | You can monitor all the activities related to backup and restore by using alerts, logs, reports, and audit trails.
|
Advanced Configuration
After you have started the backups, there are some advanced configurations that you can consider. Refer to the table below.
Configuration | Description |
Multi-Geo | With this feature, you can protect data for Microsoft 365 Multi-Geo enabled tenants. You can also assign storage to users based on their geo-location. For more information about multi-geo support, see the following articles.
|
Data lock | You can enable Data Lock to prevent modification, deletion, or tampering of business-critical data and make it immutable. For more information, see Data Lock. |
User provisioning | Druva offers different approaches to configure inSync for user provisioning. For more information, see Configure inSync for user provisioning. |
Azure Active Directory (AD) Conditional Access policies | Druva validates the Conditional Access policies enabled for your Microsoft 365 tenant during the Microsoft 365 app configuration to authenticate and provide conditional access to users.
|
Configure SaaS Apps settings for Microsoft 365 | Define the user attribute that you want inSync to use to map user account to their Microsoft 365 app account. For more information, see Configure SaaS Apps settings for Microsoft 365. |
Get user data encryption key(ekey) | To ensure that the Microsoft 365 data that is backed up is secure, you must configure inSync to get the data encryption key(ekey). For more information, see Get user data encryption key (ekey). |
Configure a profile to protect Microsoft 365 app data | To back up Microsoft 365 app data, you must specify the Microsoft 365 backup settings in an existing profile or in a new profile. For more information, see Configure a profile to protect Microsoft 365 app data. |
Reconfigure Microsoft 365
Reconfiguration of the Microsoft 365 app is required in the following scenarios:
App is disconnected
Discover a new Cloud App that is added to inSync.
For any permissions related updates required by inSync app in Microsoft Azure.
Any permission-related changes that are made to the global administrator account used to configure an Microsoft 365 app in inSync.
Example: If any changes are made to the conditional access permissions of the global administrator account used to configure any Microsoft 365 app, you must reconfigure the Microsoft 365 account in inSync.
📝 Note
When you reconfigure Microsoft 365, inSync stops all the ongoing cloud app backups.
To reconfigure inSync with Microsoft 365:
On the Overview page, click Re-Configure.
On the Re-Configure for Backup page, click the three-dots menu
> Re-Configure besides the app type that you want to reconfigure.
📝 Note
The Microsoft 365 tenant must be the same for all the sub-apps you would like to configure. Configuring sub-apps for Microsoft 365 in multiple tenants is not supported.
On the confirmation pop-up, click Re-Configure to proceed with reconfiguration.
On the Microsoft 365 login page, enter the Microsoft 365 global administrator's user name and password, and then click Sign in.
Click Accept to grant inSync app the required permissions to access Microsoft 365 data.
The permissions displayed are a combined list for all Microsoft 365 apps. If you want to know more about specific permissions applicable for each app, see Microsoft 365 Permissions for Druva App.
inSync gets connected to Microsoft 365 data of all users in your organization.
Verify Configuration
After you complete the configuration of inSync with the Microsoft 365 app, you can use the Verify Configuration option to check if inSync can access your users.
To verify the configuration:
Sign in to inSync Management Console and navigate to Microsoft 365.
On the Overview page, click and then click Verify.
In the Verify Configuration dialog, select the app for which you want to verify the configuration.
Based on the selection of the app, the options to verify the configuration are displayed. The following image displays options when Microsoft 365 app is selected.Here is the list of parameters for each sub-app to verify the configuration:
Exchange Online and OneDrive: Email ID of the user
By default OneDrive is mapped to the Username parameter in Microsoft 365, which cannot be changed. If the email ID and UPN are different in Microsoft 365 tenant then OneDrive backup will fail.SharePoint: Site title
Teams: Team Name
Public folder: Public folder name inSync recommends that you enter an organization user email address to check if the configuration works instead of an administrator user.
When you select an app and provide the parameters for verification, inSync performs the following checks as a part of verification:
App authentication: This step checks if inSync can utilize the available refresh tokens to validate the connection with the Microsoft 365 tenant.
User and user's M365 Exchange Online & OneDrive devices: This step checks if the user exists at the Microsoft 365 end.
If any of the authentication steps fail for the selected app, you are prompted with an error message. Click the error message to view the error details.
FAQs
Why do I need a global admin account?
The global admin account is required to give consent to the required permissions. The global admin role can be reduced to a normal user role later.
How to decide which app to install?
Depending on the Microsoft 365 Apps you want to protect can choose the Druva App. The set of permissions required by Druva differs depending on the apps you want to protect.
Why KMS is recommended over AD Connector?
KMS is required for running scheduled backups. Enabling Cloud Key management has the following benefits:
Remove dependency on AD Connector for scheduled backups for SaaS Apps.
Remove the risk of all backups failing in case of AD connector disconnections.
Reduce the risk of non-availability of backups for restore purpose in case of a Ransomware attack.
Strict adherence to backup SLA's by removing the risk of backup interruptions due to environment maintenance.
How to switch to a different user deployment method?
You can change the user deployment method later from the Overview page.