Before you begin
Before you initiate Druva inSync to protect Exchange Online data, ensure the following -
- You have an Microsoft 365 global administrator account with a valid Microsoft 365 license.
- You have an Microsoft 365 tenant administrator account. To learn more about how to create a tenant administrator account, check the Microsoft 365 documentation.
Configure Druva inSync to protect Microsoft 365: Exchange Online
Log in to the inSync Management Console as a Druva inSync Cloud administrator and perform the following steps to set-up Druva inSync to configure and protect Exchange Online data.
Step 1: Provide Druva inSync permissions to access Exchange Online data
To protect and backup Exchange Online data, Druva inSync requires authorization from Microsoft 365. Also, the Druva inSync Cloud administrator must accept the required permissions to access Exchange Online data.
Druva inSync uses OAuth 2.0 to communicate with services like Microsoft 365. OAuth is an open protocol for token-based authentication and authorization on the Internet. For more information on OAuth 2.0, see the OAuth website.
To establish the connection with Microsoft 365 and provide required permissions to Druva inSync:
- In the inSync Management Console menu bar, click Data Sources > Cloud Apps.
- On the Manage Cloud Apps page, select the Microsoft 365 app, and then click Configure.
- On the confirmation message that appears, click Yes to proceed with the configuration.
- On the Microsoft 365 login page, enter the tenant administrator's user name and password for Microsoft 365, and then click Sign in.
- Click Accept to grant Druva inSync app the required permissions to access Exchange Online data. For more information about the required permissions, see Required permissions for access to Exchange Online.
After you accept the permissions, Druva inSync gets connected to Microsoft 365 and can access data of all users in your organization.
After the Microsoft 365 is configured, you can view the configuration details at the Manage Cloud App Accounts page.
You can use the Verify Configuration option to check if Druva inSync can access your users.
To verify the configuration:
- On the inSync Management Console menu bar, click Data Sources > Cloud Apps.
2. On the Manage Cloud Apps page, select a Cloud App, and then click Verify Configuration.
3. In the Verify Configuration dialog, select a user.
- Provide an email address in the Select a user field.
- Druva inSync recommends that you enter an organization user email address to check if the configuration works instead of an administrator user.
4. When you select a user, Druva inSync performs the following checks as a part of verification:
- App authentication: This step checks if Druva inSync can generate refresh tokens and access tokens for the application. This step detects changes related to Microsoft 365 permissions.
- User and user’s endpoints existence: This step checks if the user exists at the Microsoft 365 end.
- User mailbox existence: This step verifies if a mailbox exists for that user.
5. If any of the authentication steps fail, you are prompted with an error message. Click the error message to view the error details.
Step 2: Configure Cloud Apps settings for Exchange Online
Define the user attribute that you want Druva inSync to use to map user account to their Microsoft 365 app account.
- Configure user accounts access using the inSync email ID or Active Directory(AD) attribute
- Configure the User custom domain for Microsoft 365
Only inSync administrators with the Cloud administrator role can configure the user account access settings.
By default, inSync uses the email address of inSync users to map users to their Microsoft 365 app account.
If you have integrated Active Directory (AD) or LDAP with inSync to manage user information, you can configure inSync to use the User Principal Name (UPN) of users for identifying and associating them to their Microsoft 365 app account.
inSync gets the UPN information through AD Mapping configured to fetch user accounts from configured AD/LDAP with inSync.
inSync then automatically gets user details and identifies the user accounts with the configured Cloud Apps account.
Only inSync administrators with Cloud Administrator role can configure the user account access settings.
Note: To configure Shared Mailbox as part of Microsoft 365 backup,
- Ensure inSync is configured to use inSync Email ID to access user accounts for Microsoft 365.
- inSync does not support AD Attribute - User Principal Name (UPN) for Shared Mailbox backup.
- On the Druva inSync Management Console menu bar, click Data Sources > Cloud Apps.
- On the Manage Cloud App, select the Microsoft 365 app and then click Settings.
The Cloud App Settings dialog box appears.
- By default, inSync Email ID is configured for accessing user accounts. To configure inSync to use User Principal Name (UPN) for accessing user accounts, select AD Attribute.
4. Click OK.
An organization may have a custom domain associated with different cloud applications such as Microsoft 365. inSync administrators must map the inSync user IDs of the users using the Microsoft 365 apps with the custom domain.
If the inSync user ID does not match with the Cloud application domain ID configured by the organization, backup for that particular cloud application services fails with an error USER NOT FOUND.
Configuring the user custom domain for Microsoft 365 enables the administrator to allow inSync to access the user's details.
- On the Druva inSync Management Console menu bar, click Data Sources > Cloud Apps.
- On the Manage Cloud App page, select theMicrosoft 365 app and then click Settings.
- On the Cloud App Settings dialog box, select the User custom domain check box.
4. In the Specify domain field, enter a valid and unique custom domain name. The custom domain specified in this field replaces the inSync user's existing domain and is used to access the user's details for the configured cloud application.
5. Click OK.
Step 3: Get user data encryption key(ekey)
To ensure that the Microsoft 365 data that is backed up is secure, you must configure Druva inSync to get the data encryption key(ekey).
inSync requires access to the ekey to initiate the scheduled backup of any Microsoft 365 app data. The ekey is used to encrypt the user data when it is being backed up to the inSync Cloud. This is part of the digital envelope encryption process that Druva strictly adheres to. Druva does not store ekey of the users and has no access to the data.
Use one of the following methods to enable Druva inSync to get the user data encryption key(ekey):
- inSync Connector acts as a Cloud Apps connector to provide the ekeys without requiring users to have their devices connected for the Cloud Apps backup .
- If the registered inSync Connectors are not connected, backup of the configured Cloud Apps data fails.
- inSync Connector does not need to have any domains or AD mappings added to it.
- inSync generates a Not Connected alert if inSync Connector is not connected.
If none of the earlier mentioned deployment options are used, you must have the Cloud Key Management feature enabled. For more information, see Configure Key Management for Cloud Apps.
Step 4: Configure a profile to protect Exchange Online data
To back up Microsoft 365: Exchange Online data, you must specify the Microsoft 365 backup settings in an existing profile or in a new profile. inSync will start backing up the user data from Microsoft 365 as per the backup schedule that is defined for a profile with Cloud Apps feature enabled.
Create a new Profile
- On the Druva inSync Management Console menu bar, click Profiles.
- Click Create New Profile. The profile creation wizard appears.
- On the General tab, provide the required details for the Summary and User Privacy & Access sections and click Next.
|Profile name||Type the name for this profile.|
|Max. # users||
Type the maximum number of users that you want to assign to this profile.
If you do not want to set any restriction on the number of users, type 0 (zero).
|Description||Type a short description for this profile.|
Auto delete preserved users
Select this checkbox if you want inSync to automatically delete preserved users after a particular duration.
Auto delete after
Specify the duration, in the number of days, when inSync should automatically delete preserved users.
|Backup Inactivity Alert|
|Alert if user's data sources are not backed up for||inSync will raise the user Backup Inactivity Alert if a user device is not backed up for more than the days specified in this field. You can specify from 1 to 365 days in this field.|
|User Privacy & Access|
|Allow admin access to user data||
By default, this check box is selected.
Clear this check box if you do not want administrators to access and restore user data. Once you have cleared this check box, you cannot change your preference later.
|Allow users to edit privacy settings||
By default, this check box is selected. If you do not want to allow Microsoft 365 Cloud Apps users to edit the privacy settings, click to clear this check box.
If you allow users to edit their privacy settings, users can prevent administrators from:
|Allows restores from a Web browser||By default, this check box is selected. Clear this check box if you want to allow users to restore data by accessing their inSync account through a web browser.|
From the dropdown, click a preferred method that you want users to use to activate inSync and to log in to inSync Web.
The available options are as follows:
Single Sign-On (SSO) option is available only if SSO is configured in inSync. To configure SSO, see Configure inSync for SSO.
|Allow access from mobile devices||
You can allow users to backup data from their iOS and Android devices.
Select this check box if you want to allow users to access inSync data from their mobile devices.
For more information on how you can update this permission, see Enable backup from mobile devices.
|Allow users to log on only through the MDM managed app||
This option is displayed only if you check the Allow access from mobile devices.
Select this check box if you want to allow users to log on by using only the inSync for MobileIron app from iOS devices.
|Enforce PIN for mobile access||Select this check box If you want to make it mandatory for users to set a four-digit security code to open the inSync mobile app, select this check box.|
4. Click the Enable the Cloud Apps Backup setting option to enable Microsoft 365 app.
You can enable and define the settings for the Microsoft 365 app only if you have purchased a license for Cloud Apps. If you have not subscribed for the Cloud Apps license but would like to purchase one, contact Druva Sales.
The setting options on the Cloud Apps screen are displayed.
|Backup Cloud Apps|
Select this check box, if you want to backup only Exchange Online data. In-Place Archive for Exchange Online is also backed up if Exchange Online is selected.
Optionally, if you want inSync to backup the Exchange Online Recoverable Items folder, which keeps the deleted emails, contacts, and calendar items in the Deletions and Purges items, select the Backup Recoverable Items check box. This enables inSync Cloud administrators and inSync users to restore or download data caused by accidental or malicious deletion.
Global Exclusions for files is not applicable for emails.
For more information on how you can configure the global exclude list, see Configure the global exclude list.
|Schedule & Retention: Backup Schedule|
Select how frequently you want inSync to back up Microsoft 365 apps data. By default, inSync performs the backup operation once a day. For more information, see Define the backup interval for Cloud Apps.
|Schedule & Retention: Data Retention for Cloud Apps|
|Retain all backups for||
Type the number of days that you want to retain all backups. At the end of the backup period, inSync deletes the data from the storage.
For example, if you specify that you want to retain all backups for 5 days and inSync completed the backup operation on January 6, 2017. inSync then deletes the backup data from the storage on January 11, 2017.
|Retain weekly backups for||Type the number of weeks that you want to retain all backups. At the end of the weekly backup period, inSync deletes the data from the storage.
Note: The weekly backup is the last backup in a calendar week. The calendar week starts on Sunday.
|Retain monthly backups for||
Type the number of months that you want to retain all backups. At the end of the monthly backup period, inSync deletes the data from the storage.
Note: The monthly backup is the last backup in a calendar month.
|Automatically delete old emails||
Type the number of months after which you want inSync to delete all backed up emails.
For example, if you type 6, inSync will automatically delete all emails across all snapshots whose sent or received timestamp is more than 6 months old.
After you configure to enable backup from Cloud Apps, the Manage Users page displays the number of Cloud Apps associated with the users. If you click the Cloud Apps associated with a user, the Cloud Apps tab displays the backup status of Cloud Apps data.
Click Disable Cloud Apps Backup to disable the Cloud Apps backup associated to this profile at anytime.
Alternatively, you can update the existing profile to enable the Cloud Apps feature. For more information, see Update Profile.
Step 5: Associate and add users to Microsoft 365 enabled Cloud Apps profile
The procedure to associate and add users depends on the Cloud Apps settings configuration set in Step 3.
|Cloud Apps settings||Procedure|
|inSync Email ID||
Add users individually or add a group of users by importing their information from a CSV file. To learn more about each option, see:
If you have not created a Cloud Apps enabled profile, you may add the users to the Default profile and then enable Cloud Apps feature for this profile.
inSync users are automatically imported and mapped to their Microsoft 365 account.
If your preferred method to map users is AD attribute option, then you must have the Active Directory (AD) or LDAP integrated with inSync. To learn more about how to integrate Active Directory (AD) or LDAP integrated with inSync, see Create an AD/LDAP mapping.
- Backup data
- Restore data
- Download data
- Monitor backup and restore activities
- Enable alerts for monitoring Microsoft 365: Exchange Online status
- View and receive reports
- View Live Activities
- Legal Hold and governance