Protecting Microsoft 365 data

Why back up Microsoft 365 data?

Even though Microsoft 365 is a set of cloud services, regular backups provide an additional layer of protection from user errors and intentional malicious actions. You can recover deleted items from a backup even after the Microsoft 365 retention period has expired. Also, you can keep a local copy of the Exchange Online mailboxes if it is required for regulatory compliance.

Agent for Microsoft 365

Depending on the desired functionality, you can choose to install Agent for Microsoft 365 locally, use the agent installed in the cloud, or both. The following table summarizes the functionality of the local and the cloud agent.

  Local Agent for Microsoft 365 Cloud Agent for Microsoft 365
Data items that can be backed up

Exchange Online: user and shared mailboxes

  • Exchange Online: user, shared, and group mailboxes; public folders
  • OneDrive: user files and folders
  • SharePoint Online: classic site collections, group (team) sites, communication sites, individual data items
  • Microsoft 365 Teams: entire teams, team channels, channel files, team mailboxes, files and email messages in team mailboxes, meetings, team sites
Backup of archive mailboxes (In-Place Archive)

No

Yes

Backup schedule

User-defined

Cannot be changed. Each protection plan runs daily at the same time of day.*

Backup locations

Cloud storage, local folder, network folder

Cloud storage only

Automatic protection of new Microsoft 365 users, groups, sites, and teams

No

Yes, by applying a protection plan to the All users, All groups, All sites, All teams groups

Protecting more than one Microsoft 365 organization

No

Yes

Granular recovery

Yes

Yes

Recovery to another user within one organization

Yes

Yes

Recovery to another organization

No

Yes

Recovery to an on-premises Microsoft Exchange Server

No

No

Maximum number of items that can be backed up without performance degradation

When backing up to the cloud storage: 5000 mailboxes per company

When backing up to other destinations: 2000 mailboxes per protection plan (no limitation for number of mailboxes per company)

10 000 protected items (mailboxes, OneDrives, or sites) per company**

Maximum number of manual backup runs

No

10 manual runs during an hour

Maximum number of simultaneous recovery operations

No

10 operations, including Google Workspace recovery operations

* Because a cloud agent serves multiple customers, it determines the start time for each protection plan on its own, to ensure even load during a day and the equal quality of service for all customers.

The protection schedule might be affected by the operation of third-party services, for example, the accessibility of Microsoft 365 servers, throttling settings on the Microsoft servers, and others. See also https://docs.microsoft.com/en-us/graph/throttling.

** It is recommended that you back up your protected items gradually and in this order:

  1. Mailboxes.
  2. After all mailboxes are backed up, proceed with OneDrives.
  3. After OneDrive backup is completed, proceed with the SharePoint Online sites.

The first full backup may take several days, depending on the number of protected items and their size.

Limitations

  • Only users with an assigned Microsoft 365 license can have their mailboxes and OneDrives backed up.
  • A mailbox backup includes only folders visible to users. The Recoverable items folder and its subfolders (Deletions, Versions, Purges, Audits, DiscoveryHold, Calendar Logging) are not included in a mailbox backup.
  • Automatic creation of users, public folders, groups, or sites during a recovery is not possible. For example, if you want to recover a deleted SharePoint Online site, first create a new site manually, and then specify it as the target site during a recovery.
  • You cannot simultaneously recover items from different recovering points, even though you can select such items from the search results.
  • During a backup, any sensitivity labels that are applied to the content will be preserved. Therefore, sensitive content might not be shown if it is recovered to a non-original location and its user has different access permissions.

Required user rights

In the Cyber Protection service

The local Agent for Microsoft 365 must be registered under a company administrator account and used on the customer tenant level. Company administrators acting on the unit level, unit administrators, and users cannot back up or recover Microsoft 365 data.

The cloud Agent for Microsoft 365 can be used both on a customer tenant level and on a unit level. For more information about these levels and their respective administrators, refer to Administering Microsoft 365 organizations added on different levels.

In Microsoft 365

Your account must be assigned the global administrator role in Microsoft 365.

To back up and recover Microsoft 365 public folders, at least one of your Microsoft 365 administrator accounts must have a mailbox and read/write rights to the public folders that you want to back up.

  • The local agent will log in to Microsoft 365 by using this account. To enable the agent to access the contents of all mailboxes, this account will be assigned the ApplicationImpersonation management role. If you change this account password, update the password in the service console, as described in "Changing the Microsoft 365 access credentials".
  • The cloud agent does not log in to Microsoft 365. The agent is given the necessary permissions directly by Microsoft 365. You only need to confirm granting these permissions once, being signed in as a global administrator. The agent does not store your account credentials and does not use them to perform backup and recovery. Changing this account password or disabling this account or deleting this account in Microsoft 365 does not affect agent operation.

Microsoft 365 seats licensing report

Company administrators can download a report about the protected Microsoft 365 seats and their licensing. The report is in the CSV format and includes information about the licensing status of a seat and the reason why a license is used. The report includes also the protected seat name, associated email, group, Microsoft 365 organization, name and type of the protected workload.

This report is only available for tenants in which a Microsoft 365 Organization is registered.

To download the Microsoft 365 seats licensing report

  1. Log in to the Cyber Protection service console as a company administrator.
  2. Click the account icon in the top-right corner.
  3. Click Microsoft 365 seats licensing report.