Skip to main content
Druva Documentation

Configure inSync to protect Exchange Online data

inSync Cloud Editions: File:/tick.png Elite Plus File:/tick.png Elite File:/cross.png Enterprise File:/cross.png Business

Before you begin 

Before you initiate Druva inSync to protect Exchange Online data, ensure the following -

  • You have an Microsoft 365 global administrator account with a valid Microsoft 365 license.
  • You have an Microsoft 365 tenant administrator account. To learn more about how to create a tenant administrator account, check the Microsoft 365 documentation.

Configure Druva inSync to protect Microsoft 365: Exchange Online

Log in to the inSync Management Console as a Druva inSync Cloud administrator and perform the following steps to set-up Druva inSync to configure and protect Exchange Online data.

Step 1: Provide Druva inSync permissions to access Exchange Online data

To protect and backup Exchange Online data, Druva inSync requires authorization from Microsoft 365. Also, the Druva inSync Cloud administrator must accept the required permissions to access Exchange Online data. 

Druva inSync uses OAuth 2.0 to communicate with services like Microsoft 365. OAuth is an open protocol for token-based authentication and authorization on the Internet. For more information on OAuth 2.0, see the OAuth website.


To establish the connection with Microsoft 365 and provide required permissions to Druva inSync:

  1. In the inSync Management Console menu bar, click Data Sources > Cloud Apps.
  2. On the Manage Cloud Apps page, select the Microsoft 365 app, and then click Configure. 
  3. On the confirmation message that appears, click Yes to proceed with the configuration. 
  4. On the Microsoft 365 login page, enter the tenant administrator's user name and password for Microsoft 365, and then click Sign in
  5. Click Accept to grant Druva inSync app the required permissions to access Exchange Online data. For more information about the required permissions, see Required permissions for access to Exchange Online.

       After you accept the permissions, Druva inSync gets connected to Microsoft 365 and can access data of all users in your organization.


After the Microsoft 365 is configured, you can view the configuration details at the Manage Cloud App Accounts page.

Verify Configuration

You can use the Verify Configuration option to check if Druva inSync can access your users. 


To verify the configuration:

  1. On the inSync Management Console menu bar, click Data Sources > Cloud Apps.

2. On the Manage Cloud Apps page, select a Cloud App, and then click Verify Configuration.


3. In the Verify Configuration dialog, select a user.

  • Provide an email address in the Select a user field. 
  • Druva inSync recommends that you enter an organization user email address to check if the configuration works instead of an administrator user. 

4. When you select a user, Druva  inSync performs the following checks as a part of verification: 

  • App authentication: This step checks if Druva inSync can generate refresh tokens and access tokens for the application. This step detects changes related to Microsoft 365 permissions.
  • User and user’s endpoints existence: This step checks if the user exists at the Microsoft 365 end.
  • User mailbox existence: This step verifies if a mailbox exists for that user.

5. If any of the authentication steps fail, you are prompted with an error message. Click the error message to view the error details.

Step 2: Configure Cloud Apps settings for Exchange Online

 Define the user attribute that you want Druva inSync to use to map user account to their Microsoft 365 app account.

Only inSync administrators with the Cloud administrator role can configure the user account access settings.

Configure user accounts access using the inSync email ID or Active Directory(AD) attribute 

By default, inSync uses the email address of inSync users to map users to their Microsoft 365 app account.

If you have integrated Active Directory (AD) or LDAP with inSync to manage user information, you can configure inSync to use the User Principal Name (UPN) of users for identifying and associating them to their Microsoft 365 app account.

inSync gets the UPN information through AD Mapping configured to fetch user accounts from configured AD/LDAP with inSync. 

inSync then automatically gets user details and identifies the user accounts with the configured Cloud Apps account.

Only inSync administrators with Cloud Administrator role can configure the user account access settings.

Note: To configure Shared Mailbox as part of Microsoft 365 backup,

  • Ensure inSync is configured to use inSync Email ID to access user accounts for Microsoft 365.
  • inSync does not support AD Attribute - User Principal Name (UPN) for Shared Mailbox backup.


  1. On the Druva inSync Management Console menu bar, click Data Sources > Cloud Apps
  2. On the Manage Cloud App, select the Microsoft 365 app and then click Settings.
    The Cloud App Settings dialog box appears.
  3. By default, inSync Email ID is configured for accessing user accounts. To configure inSync to use User Principal Name (UPN) for accessing user accounts, select AD Attribute.


4. Click OK.

Configure the User custom domain for Microsoft 365

An organization may have a custom domain associated with different cloud applications such as Microsoft 365. inSync administrators must map the inSync user IDs of the users using the Microsoft 365 apps with the custom domain.

If the inSync user ID does not match with the Cloud application domain ID configured by the organization, backup for that particular cloud application services fails with an error USER NOT FOUND. 

Configuring the user custom domain for Microsoft 365 enables the administrator to allow inSync to access the user's details.


  1. On the Druva inSync Management Console menu bar, click Data Sources > Cloud Apps
  2. On the Manage Cloud App page, select theMicrosoft 365 app and then click Settings
  3. On the Cloud App Settings dialog box, select the User custom domain check box.

Custom domain new.png

4. In the Specify domain field, enter a valid and unique custom domain name. The custom domain specified in this field replaces the inSync user's existing domain and is used to access the user's details for the configured cloud application.

5. Click OK.

Step 3: Get user data encryption key(ekey)

To ensure that the Microsoft 365 data that is backed up is secure, you must configure Druva inSync to get the data encryption key(ekey). 

 inSync requires access to the ekey to initiate the scheduled backup of any Microsoft 365 app data. The ekey is used to encrypt the user data when it is being backed up to the inSync Cloud. This is part of the digital envelope encryption process that Druva strictly adheres to. Druva does not store ekey of the users and has no access to the data.

Use one of the following methods to enable Druva inSync to get the user data encryption key(ekey):

Deploy inSync Connector 
At least one inSync Connector is configured and connected to the inSync Cloud (default option). For more information, see: 


  • inSync Connector acts as a Cloud Apps connector to provide the ekeys without requiring users to have their devices connected for the Cloud Apps backup .
  • If the registered inSync Connectors are not connected, backup of the configured Cloud Apps data fails.
  • inSync Connector does not need to have any domains or AD mappings added to it.
  • inSync generates a Not Connected alert if inSync Connector is not connected.

Connect a user device 
If the inSync Connector is not configured, then, at least one endpoint device (desktop or laptop) for every user in inSync is configured for backup.

Enable Cloud Key Management 

If none of the earlier mentioned deployment options are used, you must have the Cloud Key Management feature enabled. For more information, see Configure Key Management for Cloud Apps.

Step 4: Configure a profile to protect Exchange Online data

To back up Microsoft 365: Exchange Online data, you must specify the Microsoft 365 backup settings in an existing profile or in a new profile. inSync will start backing up the user data from Microsoft 365 as per the backup schedule that is defined for a profile with Cloud Apps feature enabled.

Create a new Profile

  1. On the Druva inSync Management Console menu bar, click Profiles.
  2. Click Create New Profile. The profile creation wizard appears.
  3. On the General tab, provide the required details for the Summary and User Privacy & Access sections and click Next
Field Action
Profile name Type the name for this profile.
Max. # users

Type the maximum number of users that you want to assign to this profile.

If you do not want to set any restriction on the number of users, type 0 (zero).

Description Type a short description for this profile.

Data Preservation

Note: By default, Data Preservation settings are not inherited from the Default profile. You must specify Data Preservation settings as per your preference.

Auto delete preserved users


Select this checkbox if you want inSync to automatically delete preserved users after a particular duration.

Auto delete after

Specify the duration, in the number of days, when inSync should automatically delete preserved users.


  • The users to be auto-deleted must be in preserved state for a minimum of 30 days and maximum 366 days.
  • Once the user is auto-deleted, data of that user is also deleted from inSync. You cannot recover this deleted data again.
  • User data is retained or deleted based on the backup retention policy you have defined through profiles.
  • If a preserved user is under Legal Hold, such user will not be deleted.
Backup Inactivity Alert 
Alert if user's data sources are not backed up for inSync will raise the user Backup Inactivity Alert if a user device is not backed up for more than the days specified in this field.  You can specify from 1 to 365 days in this field.
User Privacy & Access
Allow admin access to user data

By default, this check box is selected.

Clear this check box if you do not want administrators to access and restore user data. Once you have cleared this check box, you cannot change your preference later.

Allow users to edit privacy settings

By default, this check box is selected.  If you do not want to allow Microsoft 365 Cloud Apps users to edit the privacy settings, click to clear this check box.

If you allow users to edit their privacy settings, users can prevent administrators from:

  • Viewing or downloading user data.
  • Performing data restores for the users.
  • Performing analytic search for the users.
  • Viewing files and folder names that users have restored or downloaded in the user audit trail.
  • Downloading log files pertaining to a user's inSync activities.
  • Downloading data that users share with others. However, inSync administrators can view the share activities for the users irrespective of the privacy settings.

Note: If you want to disallow the users to disable administrators to view/download their backup and share data through inSync Client, clear the 'Allow users to edit privacy settings' check box.

Allows restores from a Web browser By default, this check box is selected. Clear this check box if you want to allow users to restore data by accessing their inSync account through a web browser.
Login using

From the dropdown, click a preferred method that you want users to use to activate inSync and to log in to inSync Web.

The available options are as follows:

  • If you want users to use the password that inSync assigns, click inSync Password.
  • If you want users to user their Single Sign-On username and password, click Single Sign-On.
  • If you want users to use their AD/LDAP username and password, click AD/LDAP Account.
    • When you click AD/LDAP Account, the Select AD/LDAP Server field appears.
      Select the IP address or the fully qualified domain name (FQDN) of the inSync Master that contains the AD or LDAP server.

Single Sign-On (SSO) option is available only if SSO is configured in inSync. To configure SSO, see  Configure inSync for SSO.

Allow access from mobile devices

You can allow users to backup data from their iOS and Android devices.

Select this check box if you want to allow users to access inSync data from their mobile devices.

For more information on how you can update this permission, see Enable backup from mobile devices.

Allow users to log on only through the MDM managed app

This option is displayed only if you check the Allow access from mobile devices.

Select this check box if you want to allow users to log on by using only the inSync for MobileIron app from iOS devices.

Enforce PIN for mobile access Select this check box If you want to make it mandatory for users to set a four-digit security code to open the inSync mobile app, select this check box.

4. Click the Enable the Cloud Apps Backup setting option to enable Microsoft 365 app.

You can enable and define the settings for the Microsoft 365 app only if you have purchased a license for Cloud Apps. If you have not subscribed for the Cloud Apps license but would like to purchase one, contact Druva Sales.

The setting options on the Cloud Apps screen are displayed.

Field Description
Backup Cloud Apps 
Exchange Online

Select this check box, if you want to backup only Exchange Online data. In-Place Archive for Exchange Online is also backed up if Exchange Online is selected.

Optionally, if you want inSync to backup the Exchange Online Recoverable Items folder, which keeps the deleted emails, contacts, and calendar items in the Deletions and Purges items, select the Backup Recoverable Items check box. This enables inSync Cloud administrators and inSync users to restore or download data caused by accidental or malicious deletion.

Global Exclusions

Global Exclusions for files is not applicable for emails.

For more information on how you can configure the global exclude list, see Configure the global exclude list.

Schedule & Retention: Backup Schedule 
Backup frequency

Select how frequently you want inSync to back up Microsoft 365 apps data. By default, inSync performs the backup operation once a day. For more information, see Define the backup interval for Cloud Apps.

Schedule & Retention: Data Retention for Cloud Apps
Retain all backups for

Type the number of days that you want to retain all backups. At the end of the backup period, inSync deletes the data from the storage.

For example, if you specify that you want to retain all backups for 5 days and inSync completed the backup operation on January 6, 2017. inSync then deletes the backup data from the storage on January 11, 2017. 

Retain weekly backups for Type the number of weeks that you want to retain all backups. At the end of the weekly backup period, inSync deletes the data from the storage.
Note: The weekly backup is the last backup in a calendar week. The calendar week starts on Sunday.
Retain monthly backups for

Type the number of months that you want to retain all backups. At the end of the monthly backup period, inSync deletes the data from the storage.

Note: The monthly backup is the last backup in a calendar month.
Email Retention
Automatically delete old emails

Type the number of months after which you want inSync to delete all backed up emails.  

For example, if you type 6, inSync will automatically delete all emails across all snapshots whose sent or received timestamp is more than 6 months old. 

After you configure to enable backup from Cloud Apps, the Manage Users page displays the number of Cloud Apps associated with the users. If you click the Cloud Apps associated with a user, the Cloud Apps tab displays the backup status of Cloud Apps data.

Click Disable Cloud Apps Backup to disable the Cloud Apps backup associated to this profile at anytime.

Alternatively, you can update the existing profile to enable the Cloud Apps feature. For more information, see Update Profile.

Step 5: Associate and add users to Microsoft 365 enabled Cloud Apps profile 

The procedure to associate and add users depends on the Cloud Apps settings configuration set in Step 3.

Cloud Apps settings Procedure
inSync Email ID

Add users individually or add a group of users by importing their information from a CSV file. To learn more about each option, see:

 If you have not created a Cloud Apps enabled profile, you may add the users to the Default profile and then enable Cloud Apps feature for this profile.

AD attribute

inSync users are automatically imported and mapped to their Microsoft 365 account.

If your preferred method to map users is AD attribute option, then you must have the Active Directory (AD) or LDAP  integrated with inSync. To learn more about how to integrate Active Directory (AD) or LDAP  integrated with inSync, see Create an AD/LDAP mapping.

Related Activities

  • Backup data
  • Restore data
  • Download data
  • Monitor backup and restore activities
    • Enable alerts for monitoring Microsoft 365: Exchange Online status
    • View and receive reports
    • View Live Activities
  • Legal Hold and governance
  • Was this article helpful?