Skip to main content
All CollectionsMicrosoft 365Protect Your M365 Data Using Druva Cloud
Quick Configuration Guide to Protect Microsoft 365 Data
Quick Configuration Guide to Protect Microsoft 365 Data
Updated this week

Overview

Protecting your Microsoft 365 data with Druva has never been this simple. You need to perform two main steps: tenant authorization and backup configuration. That, too, is all from the console itself.

m365_onboarding_process_1.png

We have configured a few settings by default for you, and you just have to register your M365 tenant and configure your first backup to get started with data protection. The following graphic explains what is the default configuration and what you have to do manually. You have the flexibility the change the default settings later.

default_config.png
manual_config.png

The following video provides a quick preview of the M365 onboarding process.

Before you begin

Ensure that you have a Microsoft 365 global administrator account with a valid Microsoft 365 license. This account is used only for giving consent to the required permissions. The global admin role can be reduced to a normal user role later.

Step 1: Register M365 tenant

To initiate onboarding, you must establish a connection between Druva and your M365 tenant. The first step towards that is to register your M365 tenant. You must use the global admin credentials for consenting to required permissions during registration.

Select the preferred app

On the Register Microsoft 365 page, install the app you want to use to protect the M365 data. Select the Druva app that meets your requirements:

  • Advanced - Backs up the data for Exchange Online, Groups, OneDrive, Public folder, SharePoint, Teams

  • Basic - Backs up the data for Exchange Online, OneDrive, Public folder, SharePoint, Teams
    Use the Basic app when you want to protect this data without providing the Directory.ReadWrite.All permission.

  • Exchange Online & Public folder - Backs up the data for Exchange Online and Public folder

  • OneDrive & SharePoint - Backs up the data for OneDrive and SharePoint

The following table explains the difference between Advanced and Basic apps.

Supported Apps/Features

M365 Advanced

M365 Basic

Exchange Online

OneDrive

SharePoint

Teams

Public Folders

Groups

Multi-Geo


❗ Important

Druva app requires permissions for each app, see Microsoft 365 Permissions for Druva App.


If you are an existing user and do not want to use the Multi-Geo and Groups support features, you need to revoke access to the advanced app. No action is required if you have enabled Multi-Geo support and want to protect Microsoft Groups.

Revoke access to Microsoft 365 app

On the Re-Configure for Backup window, click the three-dots menu and select Revoke Access.

revoke_access.png

At least one other Druva app should be configured to revoke access of another app. Revoking access removes all existing permissions, restricts backup and restore of app workloads, and terminates any ongoing backups and restores associated with that app.

Check the status of app and perform the required action as listed below:

  • Not Configured: Configure Microsoft 365 app

  • Not Connected: Reconfigure Microsoft 365 app

  • Not Licensed: Get a new license or renew the license if expired

  • Connected: Configure Cloud App settings to define user attributes.

register.png

Provide required permissions

Each app requires specific permissions. You must provide consent to the permissions to proceed further using the global admin account. For more information about permissions, see Microsoft 365 Permissions for Druva App.

Default configuration

Cloud Key Management

By default, the Cloud Key Management system is selected for data protection.

Once you save this setting, you cannot disable it later. You can skip this setting at this step and set it later. Scheduled backups will not be triggered automatically until this is set.

If your organizational policies require complete control over the encryption of the data backed up by Druva, Enterprise Key Management is the solution for you. For more information, see Enterprise Key Management for Microsoft 365.

Azure AD

The default user deployment method is Azure AD. You can change it later from the Overview page.

For information about user deployment, see Configure inSync for user provisioning.


📝 Note

If you change the user deployment method to SCIM or AD/LDAP, you have to add users manually while configuring users' backup. If you want to automatically configure users' backup by mapping Azure AD attributes to storage and profile, you must do that from the User Deployment page.


After a successful connection between Druva and your Microsoft 365 account, the data is discovered automatically for each workload. The number of members discovered in Azure AD tenant is displayed.

overview.png

Step 2: Configure backup

On the Overview page, click Configure Backup from the preferred card.

Configure backup for Exchange Online and OneDrive

Import the users automatically and configure the backup for users either manually or automatically by using the AD mappings.

You can configure backup for Exchange Online and OneDrive in two ways:

  • Quick Configure

  • Auto Configure

Quick configure

Manually configure the backup by assigning storage and profile to the users to be backed up.

quick_config.png

Follow these steps to configure the backup:

  1. Enter the user name or email address of the users to be backed up in the Users to Backup field.
    Available users will start showing up while you type. You can select multiple users from the user list.

  2. Select the storage where the users' data should be saved from the Assign storage drop-down list.

  3. Select a profile from the Assign Profile drop-down list. For more information about profiles, see Configure a profile to protect Microsoft 365 app data.


    📝 Note

    The default profile has Exchange Online and OneDrive apps enabled for backup.


    The Profile Summary section displays the apps to be backed up, backup frequency, and retention settings.

  4. (Optional) Select Send activation email to newly added users if you want to send an invitation email to all the newly added users. You can customize the emails to be sent to the users. For more information, see Customize the new user activation email.

  5. Click Save.


    Backup is initiated automatically for the selected users.

Auto Configure

Automatically configure users' backup by mapping Azure AD attributes to storage and profile. You can filter users by using Groups, Azure AD attribute, or you can import all users, and then you can assign storage and profile to the users.

auto_config.png
  1. Specify a name for the Azure AD Integration mapping.

  2. Filter users by using any of the following methods.

    • Groups: Import users that belong to a specific Azure AD group. In the Groups field, enter one or multiple Groups. You can enter the first letter, and a list of the top 10 Azure AD groups is displayed. The supported group types are Microsoft 365 groups, distribution groups, security groups, and mail-enabled security groups.

    • Azure AD Attributes: Import users based on a specific Azure AD attribute name and matching values. Specify the Azure AD attribute name. In the Value(s) box, type the value for the attribute. See Reference for Attributes list.
      Considerations:

      • The filter is case-sensitive. The value you specify in the Azure AD mapping and the attribute value should be in the correct case. the same case that graph API returns. For example, displayName, companyName, postalCode, preferredDataLocation.

      • Use a comma to specify multiple values for the attribute.

      • Only the user accounts, that match the values specified in the box are mapped to this mapping.

    • All Users: Import all the users based on no criteria

  3. Select the storage where the users' data should be saved from the Assign storage drop-down list.

  4. Select a profile from the Assign Profile drop-down list. For more information about profiles, see Configure Druva inSync for Microsoft 365.


    📝 Note

    The default profile has Exchange Online and OneDrive apps enabled for backup.


    The Profile Summary section displays the apps to be backed up, backup frequency, and retention settings.

  5. (Optional) Select Send activation email to newly added users if you want to send an invitation email to all the newly added users. You can customize the emails to be sent to the users. For more information, see Customize the new user activation email.

  6. Click Save.
    Backup is initiated automatically for the selected users.

Configure backup for Teams, Groups, SharePoint Online, and Public folder

You can assign backup configuration settings to configure Teams, Groups, SharePoint Online, and Public folder. Refer to the topics below to know details about the backup configuration for Groups, SharePoint Online, Teams, and Public folder.


📝 Note

Along with Groups, its associated Teams and SharePoint sites including private sites are also protected. Along with Teams, its associated SharePoint sites including private sites are also protected.


Basic Configuration

After you configure the first backup, these are some additional tasks that you can do. Refer to the following table for details.

Task

Description

Add Microsoft 365 app users to inSync

To start the backup of Microsoft 365 app data of users, the administrator must add or create users in inSync. inSync supports the following methods to add or create new users:

If users are already created, assign the profile that you specifically created to manage SaaS App users. To manually assign a profile to a user, see Update the profile assigned to users.

Back up Microsoft 365 data manually

As a Cloud administrator, you have an option to initiate an unscheduled backup of Microsoft 365 data as and when needed.

Restore Microsoft 365 data

Restore of data ensures that the data is available for future reference and business continuity and can be retrieved in case of accidental deletion or malicious activities. As a Cloud administrator, you can restore the Microsoft 365 data. Refer to the following links for details.

Download Microsoft 365 apps data

You can download Microsoft 365 data at custom locations such as laptops or desktops. You can perform a download of entire Microsoft 365 apps data or selective downloads of specific data residing within Microsoft 365 apps. Refer to the following links for details.

Monitor Microsoft 365 data

You can monitor all the activities related to backup and restore by using alerts, logs, reports, and audit trails.

  • Configure email alerts for backup or restore-related activities and stay updated. For details, see Alerts.

  • Download log files pertaining to a user's activities. For details, see Download inSync user log file.

  • View reports that contain a summary of events and activities that have occurred during a specific period. For details, see Reports.

  • Track the changes users and Administrators are making by using Audit Trails page.

Advanced Configuration

After you have started the backups, there are some advanced configurations that you can consider. Refer to the table below.

Configuration

Description

Multi-Geo

With this feature, you can protect data for Microsoft 365 Multi-Geo enabled tenants. You can also assign storage to users based on their geo-location. For more information about multi-geo support, see the following articles.

Data lock

You can enable Data Lock to prevent modification, deletion, or tampering of business-critical data and make it immutable. For more information, see Data Lock.

User provisioning

Druva offers different approaches to configure inSync for user provisioning. For more information, see Configure inSync for user provisioning.

Azure Active Directory (AD) Conditional Access policies

Druva validates the Conditional Access policies enabled for your Microsoft 365 tenant during the Microsoft 365 app configuration to authenticate and provide conditional access to users.

Configure SaaS Apps settings for Microsoft 365

Define the user attribute that you want inSync to use to map user account to their Microsoft 365 app account. For more information, see Configure SaaS Apps settings for Microsoft 365.

Get user data encryption key(ekey)

To ensure that the Microsoft 365 data that is backed up is secure, you must configure inSync to get the data encryption key(ekey). For more information, see Get user data encryption key (ekey).

Configure a profile to protect Microsoft 365 app data

To back up Microsoft 365 app data, you must specify the Microsoft 365 backup settings in an existing profile or in a new profile. For more information, see Configure a profile to protect Microsoft 365 app data.

Reconfigure Microsoft 365

Reconfiguration of the Microsoft 365 app is required in the following scenarios:

  • App is disconnected

  • Discover a new Cloud App that is added to inSync.

  • For any permissions related updates required by inSync app in Microsoft Azure.

  • Any permission-related changes that are made to the global administrator account used to configure an Microsoft 365 app in inSync.


    Example: If any changes are made to the conditional access permissions of the global administrator account used to configure any Microsoft 365 app, you must reconfigure the Microsoft 365 account in inSync.


📝 Note

When you reconfigure Microsoft 365, inSync stops all the ongoing cloud app backups.


To reconfigure inSync with Microsoft 365:

  1. On the Overview page, click Re-Configure.

  2. On the Re-Configure for Backup page, click the three-dots menu

    > Re-Configure besides the app type that you want to reconfigure.


    📝 Note

    The Microsoft 365 tenant must be the same for all the sub-apps you would like to configure. Configuring sub-apps for Microsoft 365 in multiple tenants is not supported.



    App_reconfig.png
  3. On the confirmation pop-up, click Re-Configure to proceed with reconfiguration.

  4. On the Microsoft 365 login page, enter the Microsoft 365 global administrator's user name and password, and then click Sign in.

  5. Click Accept to grant inSync app the required permissions to access Microsoft 365 data.

  6. The permissions displayed are a combined list for all Microsoft 365 apps. If you want to know more about specific permissions applicable for each app, see Microsoft 365 Permissions for Druva App.

    inSync gets connected to Microsoft 365 data of all users in your organization.

Verify Configuration

After you complete the configuration of inSync with the Microsoft 365 app, you can use the Verify Configuration option to check if inSync can access your users.

To verify the configuration:

  1. Sign in to inSync Management Console and navigate to Microsoft 365.

  2. On the Overview page, click and then click Verify.

  3. In the Verify Configuration dialog, select the app for which you want to verify the configuration.
    Based on the selection of the app, the options to verify the configuration are displayed. The following image displays options when Microsoft 365 app is selected.

    M365_Verify_Configuration.png

    Here is the list of parameters for each sub-app to verify the configuration:

    • Exchange Online and OneDrive: Email ID of the user
      By default OneDrive is mapped to the Username parameter in Microsoft 365, which cannot be changed. If the email ID and UPN are different in Microsoft 365 tenant then OneDrive backup will fail.

    • SharePoint: Site title

    • Teams: Team Name

    • Public folder: Public folder name inSync recommends that you enter an organization user email address to check if the configuration works instead of an administrator user.

  4. When you select an app and provide the parameters for verification, inSync performs the following checks as a part of verification:

    • App authentication: This step checks if inSync can utilize the available refresh tokens to validate the connection with the Microsoft 365 tenant.

    • User and user's M365 Exchange Online & OneDrive devices: This step checks if the user exists at the Microsoft 365 end.

  5. If any of the authentication steps fail for the selected app, you are prompted with an error message. Click the error message to view the error details.

    M365_Verify_Config_ESITENOTFOUND.png

FAQs

  • Why do I need a global admin account?

    The global admin account is required to give consent to the required permissions. The global admin role can be reduced to a normal user role later.

  • How to decide which app to install?

    Depending on the Microsoft 365 Apps you want to protect can choose the Druva App. The set of permissions required by Druva differs depending on the apps you want to protect.

  • How to switch to a different user deployment method?

    You can change the user deployment method later from the Overview page.

Did this answer your question?