Skip to main content
Druva Documentation

Configure inSync to protect Exchange Online data

inSync Cloud Editions: File:/tick.png Elite Plus File:/tick.png Elite File:/cross.png Enterprise File:/cross.png Business

Before you begin 

Before you initiate Druva inSync to protect Exchange Online data, ensure the following -

  • You have an Microsoft 365 global administrator account with a valid Microsoft 365 license.

Configure Druva inSync to protect Microsoft 365: Exchange Online

Log in to the inSync Management Console as a inSync Cloud administrator and perform the following steps to set-up Druva inSync to configure and protect Exchange Online data.

Step 1: Provide Druva inSync permissions to access Exchange Online data

To protect and backup Exchange Online data, Druva inSync requires authorization from Microsoft 365. Also, the inSync Cloud administrator must accept the required permissions to access Exchange Online data. 

Druva inSync uses OAuth 2.0 to communicate with services like Microsoft 365. OAuth is an open protocol for token-based authentication and authorization on the Internet. For more information on OAuth 2.0, see the OAuth website.


To establish the connection with Microsoft 365 and provide required permissions to Druva inSync:

  1. On the inSync Management Console menu bar, click Data Sources > Microsoft 365. Click Add Microsoft 365 Account.

M365_Not Configured_First screen_Oct6_marked.png

  1. On the confirmation message, click Configure to proceed with the configuration.

M365_Not Configured_Second screen_Oct6_marked.png

  1. On the Microsoft 365 login page, enter the Microsoft 365 global administrator account user name and password for Microsoft 365, and then click Sign in
  2. Click Accept to grant Druva inSync app the required permissions to access Exchange Online data. For more information about the required permissions, see Required permissions for access to Exchange Online.

After you accept the permissions, Druva inSync gets connected to Microsoft 365 and can access data of all users in your organization.

Verify Configuration

You can use the Verify Configuration option to check if Druva inSync can access your users. 


To verify the configuration:

  1. On the inSync Management Console menu bar, click Data Sources > Microsoft 365.

2. On the Overview page, click More options icon.png and then click Verify.

3. In the Verify Configuration dialog, select a user.

  • Provide an email address in the Select a user field. 
  • Druva inSync recommends that you enter an organization user email address to check if the configuration works instead of an administrator user. 

4. When you select a user, Druva inSync performs the following checks as a part of verification: 

  • App authentication: This step checks if Druva inSync can generate refresh tokens and access tokens for the application. This step detects changes related to Microsoft 365 permissions.
  • User and user’s endpoints existence: This step checks if the user exists at the Microsoft 365 end.
  • User mailbox existence: This step verifies if a mailbox exists for that user.

5. If any of the authentication steps fail, you are prompted with an error message. Click the error message to view the error details.

Step 2: Configure Cloud Apps settings for Exchange Online

 Define the user attribute that you want Druva inSync to use to map user account to their Microsoft 365 app account.

Only administrators with the Cloud administrator role can configure the user account access settings.

Configure user accounts access using the Druva inSync email ID or Active Directory(AD) attribute 

By default, Druva inSync uses the email address of Druva inSync users to map users to their Microsoft 365 app account.

If you have integrated Active Directory (AD) or LDAP with Druva inSync to manage user information, you can configure Druva inSync to use the User Principal Name (UPN) of users for identifying and associating them to their Microsoft 365 app account.

Druva inSync gets the UPN information through AD Mapping configured to fetch user accounts from configured AD/LDAP with Druva inSync. 

Druva inSync then automatically gets user details and identifies the user accounts with the configured Cloud Apps account.

Only administrators with Cloud Administrator role can configure the user account access settings.

Note: To configure Shared Mailbox as part of Microsoft 365 backup,

  • Ensure Druva inSync is configured to use Druva inSync Email ID to access user accounts for Microsoft 365.
  • Druva inSync does not support AD Attribute - User Principal Name (UPN) for Shared Mailbox backup.


  1. On the inSync Management Console menu bar, click Data Sources > Microsoft 365.
  2. On the Overview page, click More options icon.png and then click Settings. The Cloud App Settings dialog box appears.
  3. By default, Druva inSync Email ID is configured for accessing user accounts. To configure Druva inSync to use User Principal Name (UPN) for accessing user accounts, select AD Attribute.

Cloud App Settings_Oct6.png

4. Click OK.

Configure the User custom domain for Microsoft 365

An organization may have a custom domain associated with different cloud applications such as Microsoft 365. Administrators must map the Druva inSync user IDs of the users using the Microsoft 365 apps with the custom domain.

If the Druva inSync user ID does not match with the Cloud application domain ID configured by the organization, backup for that particular cloud application services fails with an error USER NOT FOUND. 

Configuring the user custom domain for Microsoft 365 enables the administrator to allow Druva inSync to access the user's details.


  1. On the inSync Management Console menu bar, click Data Sources > Microsoft 365.
  2.  On the Overview page, click More options icon.png and then click Settings. The Cloud App Settings dialog box appears.

Cloud App Settings_Oct6.png

4. To configure a custom domain for the selected Cloud App, enter a valid and unique User custom domain name. The custom domain specified in this field replaces the Druva inSync user's existing domain and is used to access the user's details for the configured cloud application.

5. Click OK.

Step 3: Get user data encryption key(ekey)

To ensure that the Microsoft 365 data that is backed up is secure, you must configure Druva inSync to get the data encryption key(ekey). 

 Druva inSync requires access to the ekey to initiate the scheduled backup of any Microsoft 365 app data. The ekey is used to encrypt the user data when it is being backed up to the Druva inSync Cloud. This is part of the digital envelope encryption process that Druva strictly adheres to. Druva does not store ekey of the users and has no access to the data.

Use one of the following methods to enable Druva inSync to get the user data encryption key(ekey):

Deploy inSync Connector 
At least one inSync Connector is configured and connected to the Druva inSync Cloud (default option). For more information, see: 


  • inSync Connector acts as a Cloud Apps connector to provide the ekeys without requiring users to have their devices connected for the Cloud Apps backup .
  • If the registered inSync Connectors are not connected, backup of the configured Cloud Apps data fails.
  • inSync Connector does not need to have any domains or AD mappings added to it.
  • Druva inSync generates a Not Connected alert if inSync Connector is not connected.

Connect a user device 
If the inSync Connector is not configured, then, at least one endpoint device (desktop or laptop) for every user in Druva inSync is configured for backup.

Enable Cloud Key Management 

If none of the earlier mentioned deployment options are used, you must have the Cloud Key Management feature enabled. For more information, see Configure Key Management for Cloud Apps.

Step 4: Configure a profile to protect Exchange Online data

To back up Microsoft 365: Exchange Online data, you must specify the Microsoft 365 backup settings in an existing profile or in a new profile. Druva inSync will start backing up the user data from Microsoft 365 as per the backup schedule that is defined for a profile with Cloud Apps feature enabled.

Create a new Profile

  1. On the inSync Management Console menu bar, click Profiles.
  2. Click Create New Profile. The profile creation wizard appears.
  3. On the General tab, provide the required details for the Summary and User Privacy & Access sections and click Next
Field Action
Profile name Type the name for this profile.
Max. # users

Type the maximum number of users that you want to assign to this profile.

If you do not want to set any restrictions on the number of users, type 0 (zero).

Description Type a short description for this profile.

Data Preservation

Note: By default, Data Preservation settings are not inherited from the Default profile. You must specify Data Preservation settings as per your preference.

Auto delete preserved users


Select this checkbox if you want Druva inSync to automatically delete preserved users after a particular duration.

Auto delete after

Specify the duration, in the number of days, when Druva inSync should automatically delete preserved users.


  • The users to be auto-deleted must be in preserved state for a minimum of 30 days and maximum 366 days.
  • Once the user is auto-deleted, data of that user is also deleted from Druva inSync. You cannot recover this deleted data again.
  • User data is retained or deleted based on the backup retention policy you have defined through profiles.
  • If a preserved user is under Legal Hold, such user will not be deleted.
Backup Inactivity Alert 
Alert if user's data sources are not backed up for Druva inSync will raise the user Backup Inactivity Alert if a user device is not backed up for more than the days specified in this field. You can specify from 1 to 365 days in this field.
User Privacy & Access
Allow admin access to user data

By default, this check box is selected.

Clear this check box if you do not want administrators to access and restore user data. Once you have cleared this check box, you cannot change your preference later.

Allow users to edit privacy settings

By default, this check box is selected. If you do not want to allow Microsoft 365 Cloud Apps users to edit the privacy settings, click to clear this check box.

If you allow users to edit their privacy settings, users can prevent administrators from:

  • Viewing or downloading user data.
  • Performing data restores for the users.
  • Performing analytic search for the users.
  • Viewing files and folder names that users have restored or downloaded in the user audit trail.
  • Downloading log files pertaining to a user's Druva inSync activities.
  • Downloading data that users share with others. However, administrators can view the share activities for the users irrespective of the privacy settings.

Note: If you want to disallow the users to disable administrators to view/download their backup and share data through inSync Client, clear the 'Allow users to edit privacy settings' check box.

Allows restores from a Web browser By default, this check box is selected. Clear this check box if you want to allow users to restore data by accessing their Druva inSync account through a web browser.
Login using

From the dropdown, click a preferred method that you want users to use to activate Druva inSync and to log in to inSync Web.

The available options are as follows:

  • If you want users to use the password that Druva inSync assigns, click Druva inSync Password.
  • If you want users to user their Single Sign-On username and password, click Single Sign-On.
  • If you want users to use their AD/LDAP username and password, click AD/LDAP Account.
    • When you click AD/LDAP Account, the Select AD/LDAP Server field appears.
      Select the IP address or the fully qualified domain name (FQDN) of the inSync Master that contains the AD or LDAP server.

Single Sign-On (SSO) option is available only if SSO is configured in Druva inSync. To configure SSO, see Configure Druva inSync for SSO.

Allow access from mobile devices

You can allow users to backup data from their iOS and Android devices.

Select this check box if you want to allow users to access Druva inSync data from their mobile devices.

For more information on how you can update this permission, see Enable backup from mobile devices.

Allow users to log on only through the MDM managed app

This option is displayed only if you check the Allow access from mobile devices.

Select this check box if you want to allow users to log on by using only the Druva inSync for MobileIron app from iOS devices.

Enforce PIN for mobile access Select this check box If you want to make it mandatory for users to set a four-digit security code to open the inSync Mobile App, select this check box.

4. Click the Enable the Cloud Apps Backup setting option to enable Microsoft 365 app.

You can enable and define the settings for the Microsoft 365 app only if you have purchased a license for Cloud Apps. If you have not subscribed for the Cloud Apps license but would like to purchase one, contact Druva Sales.

The setting options on the Cloud Apps screen are displayed.

Field Description
Backup Cloud Apps 
Exchange Online

Select this check box, if you want to backup only Exchange Online data. In-Place Archive for Exchange Online is also backed up if Exchange Online is selected.

Optionally, if you want Druva inSync to backup the Exchange Online Recoverable Items folder, which keeps the deleted emails, contacts, and calendar items in the Deletions and Purges items, select the Backup Recoverable Items check box. This enables inSync Cloud administrator and Druva inSync users to restore or download data caused by accidental or malicious deletion.

Global Exclusions

Global Exclusions for files is not applicable for emails.

For more information on how you can configure the global exclude list, see Configure the global exclude list.

Schedule & Retention: Backup Schedule 
Backup frequency

Select how frequently you want Druva inSync to back up Microsoft 365 apps data. By default, Druva inSync performs the backup operation once a day. For more information, see Define the backup interval for Cloud Apps.

Schedule & Retention: Data Retention for Cloud Apps
Retain all backups for

Type the number of days that you want to retain all backups. At the end of the backup period, Druva inSync deletes the data from the storage.

For example, if you specify that you want to retain all backups for 5 days and Druva inSync completed the backup operation on January 6, 2017. Druva inSync then deletes the backup data from the storage on January 11, 2017. 

Retain weekly backups for Type the number of weeks that you want to retain all backups. At the end of the weekly backup period, Druva inSync deletes the data from the storage.
Note: The weekly backup is the last backup in a calendar week. The calendar week starts on Sunday.
Retain monthly backups for

Type the number of months that you want to retain all backups. At the end of the monthly backup period, Druva inSync deletes the data from the storage.

Note: The monthly backup is the last backup in a calendar month.
Email Retention
Automatically delete old emails

Type the number of months after which you want Druva inSync to delete all backed up emails.

For example, if you type 6, Druva inSync will automatically delete all emails across all snapshots whose sent or received timestamp is more than 6 months old. 

After you configure to enable backup from Cloud Apps, the Manage Users page displays the number of Cloud Apps associated with the users. If you click the Cloud Apps associated with a user, the Cloud Apps tab displays the backup status of Cloud Apps data.

Click Disable Cloud Apps Backup to disable the Cloud Apps backup associated to this profile at anytime.

Alternatively, you can update the existing profile to enable the Cloud Apps feature. For more information, see Update Profile.

Step 5: Associate and add users to Microsoft 365 enabled Cloud Apps profile 

The procedure to associate and add users depends on the Cloud Apps settings configuration set in Step 2.

Cloud Apps settings Procedure
Druva inSync Email ID

Add users individually or add a group of users by importing their information from a CSV file. To learn more about each option, see:

 If you have not created a Cloud Apps enabled profile, you may add the users to the Default profile and then enable Cloud Apps feature for this profile.

AD attribute

Druva inSync users are automatically imported and mapped to their Microsoft 365 account.

If your preferred method to map users is AD attribute option, then you must have the Active Directory (AD) or LDAP integrated with Druva inSync. To learn more about how to integrate Active Directory (AD) or LDAP integrated with Druva inSync, see Create an AD/LDAP mapping.

Related Activities

  • Backup data
  • Restore data
  • Download data
  • Monitor backup and restore activities
    • Enable alerts for monitoring Microsoft 365: Exchange Online status
    • View and receive reports
    • View Live Activities
  • Legal Hold and Governance
  • Was this article helpful?