Protecting Microsoft 365 data
Why back up Microsoft 365 data?
Even though Microsoft 365 is a set of cloud services, regular backups provide an additional layer of protection from user errors and intentional malicious actions. You can recover deleted items from a backup even after the Microsoft 365 retention period has expired. Also, you can keep a local copy of the Exchange Online mailboxes if it is required for regulatory compliance.
Agent for Microsoft 365
Depending on the desired functionality, you can choose to install Agent for Microsoft 365 locally, use the agent installed in the cloud, or both. The following table summarizes the functionality of the local and the cloud agent.
Local Agent for Microsoft 365 | Cloud Agent for Microsoft 365 | |
---|---|---|
Data items that can be backed up |
Exchange Online: user and shared mailboxes |
|
Backup of archive mailboxes (In-Place Archive) |
No |
Yes |
Backup schedule |
Cannot be changed. Each protection plan runs daily at the same time of day.* |
|
Backup locations |
Cloud storage, local folder, network folder |
Cloud storage only |
Automatic protection of new Microsoft 365 users, groups, sites, and teams |
No |
Yes, by applying a protection plan to the All users, All groups, All sites, All teams groups |
Protecting more than one Microsoft 365 organization |
No |
Yes |
Granular recovery |
Yes |
Yes |
Recovery to another user within one organization |
Yes |
Yes |
Recovery to another organization |
No |
Yes |
Recovery to an on-premises Microsoft Exchange Server |
No |
No |
Maximum number of items that can be backed up without performance degradation |
When backing up to the cloud storage: 5000 mailboxes per company When backing up to other destinations: 2000 mailboxes per protection plan (no limitation for number of mailboxes per company) |
10 000 protected items (mailboxes, OneDrives, or sites) per company** |
Maximum number of manual backup runs |
No |
|
Maximum number of simultaneous recovery operations |
No |
10 operations, including Google Workspace recovery operations |
* Because a cloud agent serves multiple customers, it determines the start time for each protection plan on its own, to ensure even load during a day and the equal quality of service for all customers.
The protection schedule might be affected by the operation of third-party services, for example, the accessibility of Microsoft 365 servers, throttling settings on the Microsoft servers, and others. See also https://docs.microsoft.com/en-us/graph/throttling.
** It is recommended that you back up your protected items gradually and in this order:
- Mailboxes.
- After all mailboxes are backed up, proceed with OneDrives.
- After OneDrive backup is completed, proceed with the SharePoint Online sites.
The first full backup may take several days, depending on the number of protected items and their size.
Limitations
- Only users with an assigned Microsoft 365 license can have their mailboxes and OneDrives backed up.
- A mailbox backup includes only folders visible to users. The Recoverable items folder and its subfolders (Deletions, Versions, Purges, Audits, DiscoveryHold, Calendar Logging) are not included in a mailbox backup.
- Automatic creation of users, public folders, groups, or sites during a recovery is not possible. For example, if you want to recover a deleted SharePoint Online site, first create a new site manually, and then specify it as the target site during a recovery.
- You cannot simultaneously recover items from different recovering points, even though you can select such items from the search results.
-
During a backup, any sensitivity labels that are applied to the content will be preserved. Therefore, sensitive content might not be shown if it is recovered to a non-original location and its user has different access permissions.
Required user rights
In the Cyber Protection service
The local Agent for Microsoft 365 must be registered under a company administrator account and used on the customer tenant level. Company administrators acting on the unit level, unit administrators, and users cannot back up or recover Microsoft 365 data.
The cloud Agent for Microsoft 365 can be used both on a customer tenant level and on a unit level. For more information about these levels and their respective administrators, refer to Administering Microsoft 365 organizations added on different levels.
In Microsoft 365
Your account must be assigned the global administrator role in Microsoft 365.
To back up and recover Microsoft 365 public folders, at least one of your Microsoft 365 administrator accounts must have a mailbox and read/write rights to the public folders that you want to back up.
- The local agent will log in to Microsoft 365 by using this account. To enable the agent to access the contents of all mailboxes, this account will be assigned the ApplicationImpersonation management role. If you change this account password, update the password in the service console, as described in "Changing the Microsoft 365 access credentials".
- The cloud agent does not log in to Microsoft 365. The agent is given the necessary permissions directly by Microsoft 365. You only need to confirm granting these permissions once, being signed in as a global administrator. The agent does not store your account credentials and does not use them to perform backup and recovery. Changing this account password or disabling this account or deleting this account in Microsoft 365 does not affect agent operation.
Microsoft 365 seats licensing report
Company administrators can download a report about the protected Microsoft 365 seats and their licensing. The report is in the CSV format and includes information about the licensing status of a seat and the reason why a license is used. The report includes also the protected seat name, associated email, group, Microsoft 365 organization, name and type of the protected workload.
This report is only available for tenants in which a Microsoft 365 Organization is registered.
To download the Microsoft 365 seats licensing report
- Log in to the Cyber Protection service console as a company administrator.
- Click the account icon in the top-right corner.
- Click Microsoft 365 seats licensing report.