Skip to main content

How can we help you?

Druva Documentation

Configure Druva inSync for Microsoft 365

License editions: To understand the applicable license editions, see Plans & Pricing.


This topic helps you get started with the required inSync configuration tasks to protect the following Microsoft 365 app data: 

  • Exchange Online
  • OneDrive
  • Teams

Before you begin

Before you initiate inSync configuration to protect Microsoft 365 data, ensure the following -

  • You have a Microsoft 365 global administrator account with a valid Microsoft 365 license.
  • You have an Azure Active Directory Premium P1 or P2 license to assign groups to apps. For more information, see Manage access to apps.

Create a user with Global admin role

If you wish to create a user with the global admin role from the Microsoft 365 Admin Center, perform the following steps:

  1. Login to ( Microsoft 365 admin center ) as an admin.
  2. In the Microsoft 365 admin center, under the Users section, create a user. This user need not be associated with any existing employee of the organization.
  3. Assign a Global admin role to this new user.

Once the new user is assigned a Global admin role, login to the inSync Management Console, and configure inSync for Microsoft 365 with this new user having a Global admin role. See Configure inSync to protect Microsoft 365.



You can use the Global admin role to configure the app. After the configuration is complete, you can remove the Global admin role from the service account and use any other role to perform next actions such as importing user details and backing up the data. If you have changes to the service account, such as password reset, password expiry, or Multi-factor Authentication (MFA) configuration, you need to reconfigure the Microsoft 365 app




Revoke the Global admin role of the user

If you wish to revoke the global admin role of a user from the Microsoft 365 Admin Center, perform the following steps:

  1. Login to ( Microsoft 365 admin center ) as an admin.
  2. Remove the global admin role of the user used for authorization and configuration of Microsoft 365 in inSync.
  3. Ensure that this user is not deleted or blocked from signing in to the Microsoft Office 365 account.

Note: If you delete the admin used for configuring the M365 app, the refresh token (14 days interval) will not work. As a result, M365 app gets disconnected from Druva, and backup and restore stop working. It is recommended to only revoke the access without deleting the admin. As long as the admin account exists in M365, Druva refreshes the token every 14 days and continues to backup and restore the data.

Know your Microsoft 365 app status

  • Not Configured: Configure Microsoft 365 app
  • Not Connected: Reconfigure Microsoft 365 app
  • Not Licensed: Get a new license or renew the license if expired
  • Connected: Configure Cloud App settings to define user attributes.

Advanced and Basic Microsoft 365 app

The Microsoft 365 app has two variants - Advanced and Basic. 

Supported Apps/Features M365 Advanced M365 Basic

Exchange Online




Public Folders



Use the Advanced app when you want to protect Groups, Exchange Online, OneDrive, SharePoint Online, Microsoft Teams, and Public Folders and also when you have enabled the Multi-Geo support.

Use the Basic app when you want to protect Exchange Online, OneDrive, SharePoint Online, Microsoft Teams, and Public Folders without providing the Directory.ReadWrite.All permission. For information about the required permissions for each app, see Microsoft 365 Permissions for Druva App

The Basic app does not support advanced features like Multi-Geo and Groups protection. To use these advanced features, you must use the Microsoft 365 Advanced app.

If you are an existing user and do not want to use the Multi-Geo and Groups support features, you need to revoke access to the advanced app. No action is required if you have enabled Multi-Geo support and want to protect Microsoft Groups.

To revoke access to Microsoft 365 Advanced app:

On the Re-Configure for Backup window, click Edit_icon.png and select Revoke Access.

Revoking access removes all existing permissions, restricts backup and restore of app workloads, and terminates any ongoing backups and restores.

Configure inSync to protect Microsoft 365 apps

Log in to the inSync Management Console as a inSync Cloud administrator and perform the following steps to set-up inSync to protect Microsoft 365 apps.


Step 1: Provide inSync permissions to access Microsoft 365 app data

To begin with Microsoft 365 data backup, you need to authorize inSync with Microsoft 365 app data access.

Once you initiate a Microsoft 365 app configuration from the inSync Management Console, the application redirects you to the Microsoft 365 login page. Log in as a Global Administrator to review the requested app permissions and grant access to the app data. To know more about the requested permissions and their purpose, check the Microsoft 365 App Permissions for Druva App article. 

inSync communicates with Microsoft 365 services using OAuth 2.0, an open protocol for token-based authentication and authorization. For more information, see the OAuth website.


To establish the connection with Microsoft 365 and provide required permissions to inSync:

  1. On the inSync Management Console menu bar, click the Left_Navigation_Bar_Hamburger_Icon.png icon to access the global navigation panel.

  2. Click SaaS Apps > Microsoft 365.

  3. Click Add Microsoft 365 Account.

M365_Not Configured_First screen_Oct6_marked.png

5. On the Configure for Backup page,  click Configure beside the app you want to configure.

The Microsoft 365 Basic app does not support advanced features like Multi-Geo and Groups protection. To use these advanced features, you must use the Microsoft 365 Advanced app. For more information, see Configure Druva inSync for Microsoft 365


1. You can configure other apps from the Overview page as per your requirement.

2. The Microsoft 365 tenant must be the same for all the sub-apps you would like to configure. You cannot configure Microsoft 365 sub-apps in multiple tenants.


 6. On the Microsoft 365 login page, enter the Microsoft 365 global administrator's user name and password and then click Sign in

 7. Click Accept to grant inSync app access to the Microsoft 365 data. You can view the permissions based on the selected app, which is a combined list for all Microsoft 365 apps.

inSync connects to the Microsoft 365 account and configuration is complete.

Support for Azure Active Directory (AD) Conditional Access policies

If your organization uses Azure AD Conditional Access policies for authenticating and providing conditional access to users, the app configuration step will adhere to these policies. For more information, see Support for Azure Active_Directory (AD) Conditional Access policies.


If you are an existing customer, you must reconfigure your Microsoft 365 app.

If the conditions in the access policies are not satisfied, the token-based authentication fails with the following error message.


Verify Configuration

After you complete the configuration of inSync with Microsoft 365 app, you can use the Verify Configuration option to check if inSync can access your users. 


To verify the configuration:

  1. On the inSync Management Console menu bar, click the Left_Navigation_Bar_Hamburger_Icon.png icon to access the global navigation panel.
  2. Click SaaS Apps.
  3. Click Microsoft 365
  4.  On the Overview page, click More options icon.png and then click Verify.
  5. In the Verify Configuration dialog that appears, select the app for which you want to verify the configuration.

Based on the selection of the app, the options to verify configuration are displayed. The following image displays options when Microsoft 365 app is selected.


Here is the list of parameters for each sub-app to verify the configuration:

  • Exchange Online and OneDrive: Email ID of the user
  • SharePoint: Site title
  • Teams: Team Name
  • Public folder: Public folder name
  • Exchange Online and OneDrive: Provide an email address in the Select a user field. 
  • inSync recommends that you enter an organization user email address to check if the configuration works instead of an administrator user. 

6. When you select an app and provide the parameters for verification, inSync performs the following checks as a part of verification: 

  • App authentication: This step checks if inSync can utilize the available refresh tokens to validate the connection with the Microsoft 365 tenant.
  • User and user’s endpoints existence: This step checks if the user exists at the Microsoft 365 end.

7. If any of the authentication steps fail for the selected app, you are prompted with an error message. Click the error message to view the error details.


Step 2: Configure SaaS Apps settings for Microsoft 365

 Define the user attribute that you want inSync to use to map user account to their Microsoft 365 app account.

 Only administrators with the Cloud administrator role can configure the user account access settings.

Configure user accounts access using the inSync email ID or Active Directory(AD) attribute

By default, inSync uses the email address of inSync users to map users to their Microsoft 365 app account.

If you have integrated Active Directory (AD) or LDAP with inSync to manage user information, you can configure inSync to use the User Principal Name (UPN) of users for identifying and associating them to their Microsoft 365 app account.

inSync gets the UPN information through AD Mapping configured to fetch user accounts from configured AD/LDAP with inSync. 

inSync then automatically gets user details and identifies the user accounts with the configured SaaS Apps account.

Note: To configure Shared Mailbox as part of Microsoft 365 backup,

  • Ensure inSync is configured to use inSync Email ID to access user accounts for Microsoft 365.
  • inSync does not support AD Attribute - User Principal Name (UPN) for Shared Mailbox backup.


  1. On the inSync Management Console menu bar, click the Left_Navigation_Bar_Hamburger_Icon.png icon to access the global navigation panel.
  2. Click SaaS Apps.
  3. Click Microsoft 365
  4. On the Overview page, click More options icon.png and then click Settings. The Cloud App Settings dialog box appears.
  5. By default, inSync Email ID is configured for accessing user accounts. To configure inSync to use User Principal Name (UPN) for accessing user accounts, select AD Attribute.

Cloud App Settings_Oct6.png

6. Click OK.

Configure the User custom domain for Microsoft 365

An organization may have a custom domain associated with different cloud applications such as Microsoft 365. inSync Cloud administrator must map the inSync user IDs of the users using the Microsoft 365 apps with the custom domain.

If the inSync user ID does not match with the Cloud application domain ID configured by the organization, backup for that particular cloud application services fails with an error USER NOT FOUND. 

Configuring the user custom domain for Microsoft 365 enables the administrator to allow inSync to access the user's details.


  1. On the inSync Management Console menu bar, click the Left_Navigation_Bar_Hamburger_Icon.png icon to access the global navigation panel.
  2. Click SaaS Apps.
  3. Click Microsoft 365
  4. On the Overview page, click More options icon.png and then click Settings. The Cloud App Settings dialog box appears.
  5. To configure a custom domain for the selected Cloud App, enter a valid and unique User custom domain name. The custom domain specified in this field replaces the inSync user's existing domain and is used to access the user's details for the configured cloud application.

Cloud App Settings_Oct6.png

 6. Click OK.

Step 3: Get user data encryption key(ekey)

To ensure that the Microsoft 365 data that is backed up is secure, you must configure inSync to get the data encryption key(ekey). 

 inSync requires access to the ekey to initiate the scheduled backup of any Microsoft 365 app data. The ekey is used to encrypt the user data when it is being backed up to the inSync Cloud. This is part of the digital envelope encryption process that Druva strictly adheres to. Druva does not store ekey of the users and has no access to the data.

Use one of the following methods to enable inSync to get the user data encryption key(ekey):

Deploy inSync Connector 

At least one inSync Connector is configured and connected to the inSync Cloud (default option). For more information, see: 


  • inSync Connector acts as a SaaS Apps connector to provide the ekeys without requiring users to have their devices connected for the SaaS Apps backup .
  • If the registered inSync Connectors are not connected, backup of the configured SaaS Apps data fails.
  • inSync Connector does not need to have any domains or AD mappings added to it.
  • inSync generates a Not Connected alert if inSync Connector is not connected.

Connect a user device 

If the inSync Connector is not configured, then, at least one endpoint device (desktop or laptop) for every user in inSync is configured for backup.

Enable Cloud Key Management 

If none of the earlier mentioned deployment options are used, you must have the Cloud Key Management feature enabled. For more information, see Configure Key Management for SaaS Apps.

Step 4: Configure a profile to protect Microsoft 365 app data

To back up Microsoft 365 app data, you must specify the Microsoft 365 backup settings in an existing profile or in a new profile. inSync will start backing up the user data from Microsoft 365 as per the backup schedule that is defined for a profile with SaaS Apps feature enabled.

Create a new profile

  1. On the inSync Management Console menu bar, click Profiles.
  2. Click Create New Profile. The profile creation wizard appears. 
  3. On the General tab, provide the required details for the Summary and User Privacy & Access sections and click Next
Field Action
Profile name Type the name for this profile.
Max. # users

Type the maximum number of users that you want to assign to this profile.

If you do not want to set any restriction on the number of users, type 0 (zero).

Description Type a short description for this profile.

Data Preservation

Note: By default, Data Preservation settings are not inherited from the Default profile. You must specify Data Preservation settings as per your preference.

Auto delete preserved users


Select this check box if you want inSync to automatically delete preserved users after a particular duration.

Auto delete after

Specify the duration, in the number of days, when inSync should automatically delete preserved users.


  • The users to be auto-deleted must be in preserved state for a minimum of 30 days and maximum 366 days.
  • Once the user is auto-deleted, data of that user is also deleted from inSync. You cannot recover this deleted data again.
  • User data is retained or deleted based on the backup retention policy you have defined through profiles.
  • If a preserved user is under Legal Hold, such user will not be deleted.
Backup Inactivity Alert 
Alert if user's data sources are not backed up for inSync will raise the user Backup Inactivity Alert if a user device is not backed up for more than the days specified in this field. You can specify from 1 to 365 days in this field.
User Privacy & Access
Allow admin access to user data

By default, this check box is selected.

Clear this check box if you do not want administrators to access and restore user data. Once you have cleared this check box, you cannot change your preference later.

Allow users to edit privacy settings

By default, this check box is selected. If you do not want to allow Microsoft 365 SaaS Apps users to edit the privacy settings, click to clear this check box.

 If you allow users to edit their privacy settings, Microsoft 365 SaaS Apps users can prevent administrators from:

  • Viewing or downloading user data.
  • Performing data restores for the users.
  • Performing analytic search for the users.
  • Viewing files and folder names that users have restored or downloaded in the user audit trail.
  • Downloading log files pertaining to a user's inSync activities.
  • Downloading data that users share with others. However, inSync Cloud administrator can view the share activities for the users irrespective of the privacy settings.

Note: If you want to disallow the users to disable administrators to view/download their backup and share data through inSync Client, clear the 'Allow users to edit privacy settings' check box.

Allows restores from a Web browser By default, this checkbox is selected. Clear this checkbox if you do not want to allow users to restore data by accessing their inSync account through a web browser.
Login using

From the dropdown, click a preferred method that you want users to use to activate inSync and to log in to inSync Web.

The available options are as follows:

  • If you want users to use the password that inSync assigns, click inSync Password.
  • If you want users to user their Single Sign-On username and password, click Single Sign-On.
  • If you want users to use their AD/LDAP username and password, click AD/LDAP Account.
    • When you click AD/LDAP Account, the Select AD/LDAP Server field appears.
      Select the IP address or the fully qualified domain name (FQDN) of the inSync Master that contains the AD or LDAP server.

Single Sign-On (SSO) option is available only if SSO is configured in inSync. To configure SSO, see Configure inSync for SSO.

Allow access from mobile devices

You can allow users to backup data from their iOS and Android devices.

Select this checkbox if you want to allow users to access inSync data from their mobile devices.

For more information on how you can update this permission, see Enable backup from mobile devices.

Allow users to log on only through the MDM managed app

This option is displayed only if you check the Allow access from mobile devices.

Select this checkbox if you want to allow users to log in using only the inSync for MobileIron app from iOS devices.

Enforce PIN for mobile access Select this checkbox if you want to make it mandatory for users to set a four-digit security code to open the Druva Mobile App.

4. Click the Enable the SaaS Apps Backup setting option to enable Microsoft 365 app.

 You can enable and define the settings for the Microsoft 365 app only if you have purchased a license for SaaS Apps. If you have not subscribed for the SaaS Apps license but would like to purchase one, contact Druva Sales.

The setting options on the SaaS Apps screen are displayed.

Field Description
Backup SaaS Apps
Microsoft 365

On the Select Backup Content page, click the Microsoft 365 tab if you want to backup all the Microsoft 365 web applications.

For backup of specific Microsoft 365 web applications, select your preference: OneDrive, Exchange Online, or SharePoint Online. For more information, see:

Global Exclusions

The fields for Global Exclusions are displayed based on the selections within Microsoft 365 SaaS Apps.

  • OneDrive
    • If you have selected the checkbox to backup only OneDrive data, then, you have the option to exclude certain file types from getting backed up.
    • In the Exclude Files box, type the file types that you want to exclude from the backup. The file extensions are automatically added to the adjacent field. If you want to remove a file type, click the file type.
  • Exchange Online
    • Global Exclusions for files is not applicable for emails.

For more information on how you can configure the global exclude list, see Configure the global exclude list.

Schedule & Retention: Backup Schedule 
Backup frequency

Select how frequently you want inSync to back up Microsoft 365 apps data. By default, inSync performs the backup operation once a day. For more information, see Define the backup interval for SaaS Apps.

Schedule & Retention: Data Retention for SaaS Apps
Retain all backups for

Type the number of days that you want to retain all backups. At the end of the backup period, inSync deletes the data from the storage.

For example, if you specify that you want to retain all backups for 5 days and inSync completed the backup operation on January 6, 2019. inSync then deletes the backup data from the storage on January 11, 2019. 

Retain weekly backups for Type the number of weeks that you want to retain all backups. At the end of the weekly backup period, inSync deletes the data from the storage.
Note: The weekly backup is the last backup in a calendar week. The calendar week starts on Sunday.
Retain monthly backups for

Type the number of months that you want to retain all backups. At the end of the monthly backup period, inSync deletes the data from the storage.

Note: The monthly backup is the last backup in a calendar month.
Email Retention
Automatically delete old emails

Type the number of months after which you want inSync to delete all backed up emails.

For example, if you type 6, inSync will automatically delete all emails across all snapshots whose sent or received timestamp is more than 6 months old. 

After you configure to enable backup from SaaS Apps, the Manage Users page displays the number of SaaS Apps associated with the users. If you click the SaaS Apps associated with a user, the SaaS Apps tab displays the backup status of SaaS Apps data.

Note: Click Disable SaaS Apps Backup to disable the SaaS Apps backup associated to this profile at anytime.

Alternatively, you can update the existing profile to enable the Cloud App feature. For more information, see Update Profile.

Step 5: Associate and add users to Microsoft 365 enabled SaaS Apps profile

The procedure to associate and add users depends on the SaaS Apps settings configuration set in Step 2.

SaaS Apps settings Procedure
inSync Email ID

Add users individually or add a group of users by importing their information from a CSV file. To learn more about each option, see:

 If you have not created a SaaS Apps enabled profile, you may add the users to the Default profile and then enable SaaS Apps feature for this profile.

AD attribute

inSync users are automatically imported and mapped to their Microsoft 365 account.

If your preferred method to map users is AD attribute option, then you must have the Active Directory (AD) or LDAP integrated with inSync. To learn more about how to integrate Active Directory (AD) or LDAP integrated with inSync, see Create an AD/LDAP mapping.

Next Steps

  • Was this article helpful?