Configure Druva inSync for Microsoft 365
Overview
This topic helps you get started with the required inSync configuration tasks to protect the following Microsoft 365 app data:
- Exchange Online
- OneDrive
- Teams
Before you begin
Before you initiate inSync configuration to protect Microsoft 365 data, ensure the following -
- You have a Microsoft 365 global administrator account with a valid Microsoft 365 license.
- You have an Azure Active Directory Premium P1 or P2 license to assign groups to apps. For more information, see Manage access to apps.
Create a user with Global admin role
If you wish to create a user with the global admin role from the Microsoft 365 Admin Center, perform the following steps:
- Login to admin.microsoft.com ( Microsoft 365 admin center ) as an admin.
- In the Microsoft 365 admin center, under the Users section, create a user. This user need not be associated with any existing employee of the organization.
- Assign a Global admin role to this new user.
Once the new user is assigned a Global admin role, login to the inSync Management Console, and configure inSync for Microsoft 365 with this new user having a Global admin role. See Configure inSync to protect Microsoft 365.
You can use the Global admin role to configure the app. After the configuration is complete, you can remove the Global admin role from the service account and use any other role to perform next actions such as importing user details and backing up the data. If you have changes to the service account, such as password reset, password expiry, or Multi-factor Authentication (MFA) configuration, you need to reconfigure the Microsoft 365 app.
Revoke the Global admin role of the user
If you wish to revoke the global admin role of a user from the Microsoft 365 Admin Center, perform the following steps:
- Login to admin.microsoft.com ( Microsoft 365 admin center ) as an admin.
- Remove the global admin role of the user used for authorization and configuration of Microsoft 365 in inSync.
- Ensure that this user is not deleted or blocked from signing in to the Microsoft Office 365 account.
Note: If you delete the admin used for configuring the M365 app, the refresh token (14 days interval) will not work. As a result, M365 app gets disconnected from Druva, and backup and restore stop working. It is recommended to only revoke the access without deleting the admin. As long as the admin account exists in M365, Druva refreshes the token every 14 days and continues to backup and restore the data.
Know your Microsoft 365 app status
- Not Configured: Configure Microsoft 365 app
- Not Connected: Reconfigure Microsoft 365 app
- Not Licensed: Get a new license or renew the license if expired
- Connected: Configure Cloud App settings to define user attributes.
Advanced and Basic Microsoft 365 app
The Microsoft 365 app has two variants - Advanced and Basic.
| Supported Apps/Features | M365 Advanced | M365 Basic |
|---|---|---|
|
Exchange Online |
✅ |
✅ |
|
OneDrive |
✅ |
✅ |
|
SharePoint |
✅ |
✅ |
|
Teams |
✅ |
✅ |
|
Public Folders |
✅ |
✅ |
|
Groups |
✅ |
❌ |
|
Multi-Geo |
✅ |
❌ |
Use the Advanced app when you want to protect Groups, Exchange Online, OneDrive, SharePoint Online, Microsoft Teams, and Public Folders and also when you have enabled the Multi-Geo support.
Use the Basic app when you want to protect Exchange Online, OneDrive, SharePoint Online, Microsoft Teams, and Public Folders without providing the Directory.ReadWrite.All permission. For information about the required permissions for each app, see Microsoft 365 Permissions for Druva App.
The Basic app does not support advanced features like Multi-Geo and Groups protection. To use these advanced features, you must use the Microsoft 365 Advanced app.
If you are an existing user and do not want to use the Multi-Geo and Groups support features, you need to revoke access to the advanced app. No action is required if you have enabled Multi-Geo support and want to protect Microsoft Groups.
To revoke access to Microsoft 365 Advanced app:
On the Re-Configure for Backup window, click 
and select Revoke Access.
Revoking access removes all existing permissions, restricts backup and restore of app workloads, and terminates any ongoing backups and restores.
Configure inSync to protect Microsoft 365 apps
Log in to the inSync Management Console as a inSync Cloud administrator and perform the following steps to set-up inSync to protect Microsoft 365 apps.
Step 1: Provide inSync permissions to access Microsoft 365 app data
To begin with Microsoft 365 data backup, you need to authorize inSync with Microsoft 365 app data access.
Once you initiate a Microsoft 365 app configuration from the inSync Management Console, the application redirects you to the Microsoft 365 login page. Log in as a Global Administrator to review the requested app permissions and grant access to the app data. To know more about the requested permissions and their purpose, check the Microsoft 365 App Permissions for Druva App article.
inSync communicates with Microsoft 365 services using OAuth 2.0, an open protocol for token-based authentication and authorization. For more information, see the OAuth website.
Procedure
To establish the connection with Microsoft 365 and provide required permissions to inSync:
-
On the inSync Management Console menu bar, click the
icon to access the global navigation panel. -
Click SaaS Apps > Microsoft 365.
-
Click Add Microsoft 365 Account.
5. On the Configure for Backup page, click Configure beside the app you want to configure.
The Microsoft 365 Basic app does not support advanced features like Multi-Geo and Groups protection. To use these advanced features, you must use the Microsoft 365 Advanced app. For more information, see Configure Druva inSync for Microsoft 365.
Note:
1. You can configure other apps from the Overview page as per your requirement.
2. The Microsoft 365 tenant must be the same for all the sub-apps you would like to configure. You cannot configure Microsoft 365 sub-apps in multiple tenants.
6. On the Microsoft 365 login page, enter the Microsoft 365 global administrator's user name and password and then click Sign in.
7. Click Accept to grant inSync app access to the Microsoft 365 data. You can view the permissions based on the selected app, which is a combined list for all Microsoft 365 apps.
inSync connects to the Microsoft 365 account and configuration is complete.
Support for Azure Active Directory (AD) Conditional Access policies
If your organization uses Azure AD Conditional Access policies for authenticating and providing conditional access to users, the app configuration step will adhere to these policies. For more information, see Support for Azure Active_Directory (AD) Conditional Access policies.
If you are an existing customer, you must reconfigure your Microsoft 365 app.
If the conditions in the access policies are not satisfied, the token-based authentication fails with the following error message.
Verify Configuration
After you complete the configuration of inSync with Microsoft 365 app, you can use the Verify Configuration option to check if inSync can access your users.
Procedure
To verify the configuration:
- On the inSync Management Console menu bar, click the
icon to access the global navigation panel. - Click SaaS Apps.
- Click Microsoft 365.
- On the Overview page, click
and then click Verify. - In the Verify Configuration dialog that appears, select the app for which you want to verify the configuration.
Based on the selection of the app, the options to verify configuration are displayed. The following image displays options when Microsoft 365 app is selected.
Here is the list of parameters for each sub-app to verify the configuration:
- Exchange Online and OneDrive: Email ID of the user
- SharePoint: Site title
- Teams: Team Name
- Public folder: Public folder name
- Exchange Online and OneDrive: Provide an email address in the Select a user field.
- inSync recommends that you enter an organization user email address to check if the configuration works instead of an administrator user.
6. When you select an app and provide the parameters for verification, inSync performs the following checks as a part of verification:
- App authentication: This step checks if inSync can utilize the available refresh tokens to validate the connection with the Microsoft 365 tenant.
- User and user’s endpoints existence: This step checks if the user exists at the Microsoft 365 end.
7. If any of the authentication steps fail for the selected app, you are prompted with an error message. Click the error message to view the error details.
Step 2: Configure SaaS Apps settings for Microsoft 365
Define the user attribute that you want inSync to use to map user account to their Microsoft 365 app account.
- Configure user accounts access using the inSync email ID or Active Directory(AD) attribute
- Configure the User custom domain for Microsoft 365
Only administrators with the Cloud administrator role can configure the user account access settings.
Configure user accounts access using the inSync email ID or Active Directory(AD) attribute
By default, inSync uses the email address of inSync users to map users to their Microsoft 365 app account.
If you have integrated Active Directory (AD) or LDAP with inSync to manage user information, you can configure inSync to use the User Principal Name (UPN) of users for identifying and associating them to their Microsoft 365 app account.
inSync gets the UPN information through AD Mapping configured to fetch user accounts from configured AD/LDAP with inSync.
inSync then automatically gets user details and identifies the user accounts with the configured SaaS Apps account.
Note: To configure Shared Mailbox as part of Microsoft 365 backup,
- Ensure inSync is configured to use inSync Email ID to access user accounts for Microsoft 365.
- inSync does not support AD Attribute - User Principal Name (UPN) for Shared Mailbox backup.
Procedure
- On the inSync Management Console menu bar, click the icon to access the global navigation panel.
- Click SaaS Apps.
- Click Microsoft 365.
- On the Overview page, click and then click Settings. The Cloud App Settings dialog box appears.
- By default, inSync Email ID is configured for accessing user accounts. To configure inSync to use User Principal Name (UPN) for accessing user accounts, select AD Attribute.
6. Click OK.
Configure the User custom domain for Microsoft 365
An organization may have a custom domain associated with different cloud applications such as Microsoft 365. inSync Cloud administrator must map the inSync user IDs of the users using the Microsoft 365 apps with the custom domain.
If the inSync user ID does not match with the Cloud application domain ID configured by the organization, backup for that particular cloud application services fails with an error USER NOT FOUND.
Configuring the user custom domain for Microsoft 365 enables the administrator to allow inSync to access the user's details.
Procedure
- On the inSync Management Console menu bar, click the icon to access the global navigation panel.
- Click SaaS Apps.
- Click Microsoft 365.
- On the Overview page, click and then click Settings. The Cloud App Settings dialog box appears.
- To configure a custom domain for the selected Cloud App, enter a valid and unique User custom domain name. The custom domain specified in this field replaces the inSync user's existing domain and is used to access the user's details for the configured cloud application.
6. Click OK.
Step 3: Get user data encryption key(ekey)
To ensure that the Microsoft 365 data that is backed up is secure, you must configure inSync to get the data encryption key(ekey).
inSync requires access to the ekey to initiate the scheduled backup of any Microsoft 365 app data. The ekey is used to encrypt the user data when it is being backed up to the inSync Cloud. This is part of the digital envelope encryption process that Druva strictly adheres to. Druva does not store ekey of the users and has no access to the data.
Use one of the following methods to enable inSync to get the user data encryption key(ekey):
At least one inSync Connector is configured and connected to the inSync Cloud (default option). For more information, see:
Note:
- inSync Connector acts as a SaaS Apps connector to provide the ekeys without requiring users to have their devices connected for the SaaS Apps backup .
- If the registered inSync Connectors are not connected, backup of the configured SaaS Apps data fails.
- inSync Connector does not need to have any domains or AD mappings added to it.
- inSync generates a Not Connected alert if inSync Connector is not connected.
If the inSync Connector is not configured, then, at least one endpoint device (desktop or laptop) for every user in inSync is configured for backup.
If none of the earlier mentioned deployment options are used, you must have the Cloud Key Management feature enabled. For more information, see Configure Key Management for SaaS Apps.
Step 4: Configure a profile to protect Microsoft 365 app data
To back up Microsoft 365 app data, you must specify the Microsoft 365 backup settings in an existing profile or in a new profile. inSync will start backing up the user data from Microsoft 365 as per the backup schedule that is defined for a profile with SaaS Apps feature enabled.
Create a new profile
- On the inSync Management Console menu bar, click Profiles.
- Click Create New Profile. The profile creation wizard appears.
- On the General tab, provide the required details for the Summary and User Privacy & Access sections and click Next.
| Field | Action |
|---|---|
| Summary | |
| Profile name | Type the name for this profile. |
| Max. # users |
Type the maximum number of users that you want to assign to this profile. If you do not want to set any restriction on the number of users, type 0 (zero). |
| Description | Type a short description for this profile. |
|
Data Preservation
|
|
|
Auto delete preserved users
|
Select this check box if you want inSync to automatically delete preserved users after a particular duration. |
|
Auto delete after |
Specify the duration, in the number of days, when inSync should automatically delete preserved users.
|
| Backup Inactivity Alert | |
| Alert if user's data sources are not backed up for | inSync will raise the user Backup Inactivity Alert if a user device is not backed up for more than the days specified in this field. You can specify from 1 to 365 days in this field. |
| User Privacy & Access | |
| Allow admin access to user data |
By default, this check box is selected. Clear this check box if you do not want administrators to access and restore user data. Once you have cleared this check box, you cannot change your preference later. |
| Allow users to edit privacy settings |
By default, this check box is selected. If you do not want to allow Microsoft 365 SaaS Apps users to edit the privacy settings, click to clear this check box. If you allow users to edit their privacy settings, Microsoft 365 SaaS Apps users can prevent administrators from:
|
| Allows restores from a Web browser | By default, this checkbox is selected. Clear this checkbox if you do not want to allow users to restore data by accessing their inSync account through a web browser. |
| Login using |
From the dropdown, click a preferred method that you want users to use to activate inSync and to log in to inSync Web. The available options are as follows:
Single Sign-On (SSO) option is available only if SSO is configured in inSync. To configure SSO, see Configure inSync for SSO. |
|
Allow access from mobile devices |
You can allow users to backup data from their iOS and Android devices. Select this checkbox if you want to allow users to access inSync data from their mobile devices. For more information on how you can update this permission, see Enable backup from mobile devices. |
|
Allow users to log on only through the MDM managed app |
This option is displayed only if you check the Allow access from mobile devices. Select this checkbox if you want to allow users to log in using only the inSync for MobileIron app from iOS devices. |
| Enforce PIN for mobile access | Select this checkbox if you want to make it mandatory for users to set a four-digit security code to open the Druva Mobile App. |
4. Click the Enable the SaaS Apps Backup setting option to enable Microsoft 365 app.
You can enable and define the settings for the Microsoft 365 app only if you have purchased a license for SaaS Apps. If you have not subscribed for the SaaS Apps license but would like to purchase one, contact Druva Sales.
The setting options on the SaaS Apps screen are displayed.
| Field | Description |
| Backup SaaS Apps | |
| Microsoft 365 |
On the Select Backup Content page, click the Microsoft 365 tab if you want to backup all the Microsoft 365 web applications. For backup of specific Microsoft 365 web applications, select your preference: OneDrive, Exchange Online, or SharePoint Online. For more information, see: |
| Global Exclusions |
The fields for Global Exclusions are displayed based on the selections within Microsoft 365 SaaS Apps.
For more information on how you can configure the global exclude list, see Configure the global exclude list. |
| Schedule & Retention: Backup Schedule | |
| Backup frequency |
Select how frequently you want inSync to back up Microsoft 365 apps data. By default, inSync performs the backup operation once a day. For more information, see Define the backup interval for SaaS Apps. |
| Schedule & Retention: Data Retention for SaaS Apps | |
| Retain all backups for |
Type the number of days that you want to retain all backups. At the end of the backup period, inSync deletes the data from the storage. For example, if you specify that you want to retain all backups for 5 days and inSync completed the backup operation on January 6, 2019. inSync then deletes the backup data from the storage on January 11, 2019. |
| Retain weekly backups for | Type the number of weeks that you want to retain all backups. At the end of the weekly backup period, inSync deletes the data from the storage.
Note: The weekly backup is the last backup in a calendar week. The calendar week starts on Sunday. |
| Retain monthly backups for |
Type the number of months that you want to retain all backups. At the end of the monthly backup period, inSync deletes the data from the storage. Note: The monthly backup is the last backup in a calendar month. |
| Email Retention | |
| Automatically delete old emails |
Type the number of months after which you want inSync to delete all backed up emails. For example, if you type 6, inSync will automatically delete all emails across all snapshots whose sent or received timestamp is more than 6 months old. |
After you configure to enable backup from SaaS Apps, the Manage Users page displays the number of SaaS Apps associated with the users. If you click the SaaS Apps associated with a user, the SaaS Apps tab displays the backup status of SaaS Apps data.
Note: Click Disable SaaS Apps Backup to disable the SaaS Apps backup associated to this profile at anytime.
Alternatively, you can update the existing profile to enable the Cloud App feature. For more information, see Update Profile.
Step 5: Associate and add users to Microsoft 365 enabled SaaS Apps profile
The procedure to associate and add users depends on the SaaS Apps settings configuration set in Step 2.
| SaaS Apps settings | Procedure |
| inSync Email ID |
Add users individually or add a group of users by importing their information from a CSV file. To learn more about each option, see: If you have not created a SaaS Apps enabled profile, you may add the users to the Default profile and then enable SaaS Apps feature for this profile. |
| AD attribute |
inSync users are automatically imported and mapped to their Microsoft 365 account. If your preferred method to map users is AD attribute option, then you must have the Active Directory (AD) or LDAP integrated with inSync. To learn more about how to integrate Active Directory (AD) or LDAP integrated with inSync, see Create an AD/LDAP mapping. |
Next Steps